Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.2
CTX Feed Plugin Allows Shop Managers to Install Malicious Plugins
CVE-2025-12975
Summary
The CTX Feed plugin for WordPress can be used by authorized Shop Managers to install any plugin they want, which could let attackers take control of your site. This issue affects all versions up to 6.6.11. Update the plugin to a fixed version to fix this security risk.
Original title
The CTX Feed – WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing(...
Original description
The CTX Feed – WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() function in all versions up to, and including, 6.6.11. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install arbitrary plugins which can be leveraged to achieve remote code execution.
nvd CVSS3.1
7.2
Vulnerability type
CWE-862
Missing Authorization
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026