Missing Authorization Vulnerability in Eyewear Prescription Form Plugin for WordPress
CVE-2025-14365

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Eyewear Prescription Form
Vendor: CVE Published:; 13 December 2025

What is CVE-2025-14365?

The Eyewear Prescription Form plugin for WordPress allows unauthenticated users to exploit a missing authorization check in the RemoveItems AJAX action. This vulnerability enables attackers to delete arbitrary WooCommerce product categories, including their associated child categories, by manipulating the 'catIds' parameter. All versions prior to 6.0.1 are susceptible to this issue, making it crucial for site administrators to implement necessary security measures.

Affected Version(s)

Eyewear prescription form * <= 6.0.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/eyewear-prescr...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 13, 2025
Vulnerability Reserved
Dec 9, 2025

Credit

Athiwat Tiprasaharn

Itthidej Aramsri

Powpy

Peerapat Samatathanyakorn

JSON