CVE-2025-22318
Published: 21 January 2025
Summary
CVE-2025-22318 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-22318 is a Missing Authorization vulnerability (CWE-862) in the Standard Box Sizes for WooCommerce plugin developed by enituretechnology. This issue affects the standard-box-sizes plugin for WordPress from unknown initial versions (n/a) through version 1.6.13. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), reflecting high severity due to its network accessibility and integrity impact.
An unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity and no requirement for user interaction. Exploitation bypasses authorization controls, enabling the attacker to perform unauthorized actions that compromise data integrity, such as modifying plugin-related configurations or resources within a vulnerable WordPress site running the affected plugin version.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/standard-box-sizes/vulnerability/wordpress-standard-box-sizes-plugin-1-6-12-broken-access-control-vulnerability?_s_id=cve documents the vulnerability, referring to it as a broken access control issue in version 1.6.12 and providing details relevant to mitigation for affected installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2718
Vulnerability details
Missing Authorization vulnerability in enituretechnology Standard Box Sizes – for WooCommerce standard-box-sizes.This issue affects Standard Box Sizes – for WooCommerce: from n/a through <= 1.6.13.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a missing authorization (broken access control) vulnerability in a publicly accessible WordPress plugin, enabling remote unauthenticated exploitation that directly maps to T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations for access to system resources, directly addressing the missing authorization vulnerability that allows unauthenticated modifications.
SI-2 requires timely remediation of flaws through patching, which would fix the specific broken access control in the vulnerable plugin versions.
AC-6 enforces least privilege, limiting the scope of unauthorized actions even if authorization checks are bypassed in the plugin.