Cyber Posture

CVE-2025-69378

High

Published: 20 February 2026

Published
20 February 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69378 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-1 Policy and Procedures
addresses: CWE-266

Designation of a manager and policy dissemination ensures privileges are assigned according to defined roles.

AC-13 Supervision and Review — Access Control
addresses: CWE-266

Regular reviews catch incorrect privilege assignments to users, roles, or processes.

AC-2 Account Management
addresses: CWE-266

Explicitly specifying privileges and group/role memberships for accounts reduces the risk of incorrect privilege assignments.

AC-5 Separation of Duties
addresses: CWE-266

The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.

AC-6 Least Privilege
addresses: CWE-266

Ensures privileges are assigned only as necessary rather than incorrectly over-granted.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Incorrect privilege assignment in the WordPress plugin directly enables privilege escalation via exploitation of the vulnerable component.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Incorrect Privilege Assignment vulnerability in XforWooCommerce Product Filter for WooCommerce prdctfltr allows Privilege Escalation.This issue affects Product Filter for WooCommerce: from n/a through <= 9.1.2.

Deeper analysisAI

CVE-2025-69378 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Product Filter for WooCommerce plugin (prdctfltr), also known as XforWooCommerce Product Filter for WooCommerce, which enables privilege escalation. This issue affects the plugin from unknown initial versions through version 9.1.2 and is present in WordPress environments utilizing this extension.

The vulnerability carries a CVSS v3.1 base score of 7.2 (High), with a vector of AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. Exploitation requires an authenticated attacker with high privileges, accessible over the network, with low attack complexity and no user interaction. A successful exploit allows the attacker to achieve high impacts on confidentiality, integrity, and availability through privilege escalation.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/prdctfltr/vulnerability/wordpress-product-filter-for-woocommerce-plugin-9-1-2-privilege-escalation-vulnerability?_s_id=cve) documents this privilege escalation vulnerability in the WordPress Product Filter for WooCommerce plugin version 9.1.2. Security practitioners should consult the advisory for specific mitigation guidance, such as updating to a patched version beyond 9.1.2.

Details

CWE(s)
CWE-266

CVEs Like This One

CVE-2026-27102Shared CWE-266
CVE-2025-69293Shared CWE-266
CVE-2026-25414Shared CWE-266
CVE-2025-31643Shared CWE-266
CVE-2025-33179Shared CWE-266
CVE-2026-27541Shared CWE-266
CVE-2025-24648Shared CWE-266
CVE-2025-1653Shared CWE-266
CVE-2025-23528Shared CWE-266
CVE-2025-67966Shared CWE-266

References