vulnerability
WordPress Plugin: woocommerce-google-adwords-conversion-tracking-tag: CVE-2025-12545: Exposure of Sensitive Information to an Unauthorized Actor
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:P/I:N/A:N) | Nov 18, 2025 | Nov 18, 2025 | Apr 30, 2026 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
Nov 18, 2025
Added
Nov 18, 2025
Modified
Apr 30, 2026
Description
The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.49.2 via the ajax_pmw_get_product_ids() function due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft products that they should not have access to.
Solution
woocommerce-google-adwords-conversion-tracking-tag-plugin-cve-2025-12545
References
- https://www.cve.org/CVERecord?id=CVE-2025-12545
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9babb946-4033-4e66-8f59-b73185ffcd49?source=api-prod
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-197993
- CVE-2025-12545
- https://attackerkb.com/topics/CVE-2025-12545
- CWE-200
- EUVD-EUVD-2025-197993
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.