Description
The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wos_troubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view information pertaining to other user's orders.
Published: 2026-02-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Exposure of Order Information to Authenticated Users
Action: Patch
AI Analysis

Impact

The Order Splitter for WooCommerce plugin contains a missing capability check on the 'wos_troubleshooting' AJAX endpoint in all releases up to 5.3.5. This flaw permits any authenticated user with Subscriber-level access or higher to query the endpoint and retrieve order details belonging to other users, thereby exposing sensitive customer data. The flaw corresponds to CWE-862 (Missing Authorization). As the vulnerability allows data disclosure rather than code execution, the damage is limited to confidentiality compromise but still meaningful for e‑commerce privacy concerns.

Affected Systems

The affected product is the WordPress plugin 'Order Splitter for WooCommerce' authored by fahadmahmood. Versions 5.3.5 and earlier are vulnerable; versions newer than 5.3.5 are presumed to contain the fix.

Risk and Exploitability

The CVSS score of 4.3 classifies the weakness as Low severity and the EPSS score of less than 1% indicates a very low exploitation probability at present. The flaw is not listed in the CISA KEV catalog. Attackers would need to be authenticated and hold at least a Subscriber role; once authenticated, they can invoke the exposed AJAX endpoint to read other users’ order information. No elevated privileges or special network conditions are required beyond normal authenticated access.

Generated by OpenCVE AI on April 22, 2026 at 11:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Order Splitter for WooCommerce plugin to the latest version (≥5.3.6) that applies the missing capability check for the 'wos_troubleshooting' endpoint.
  • If an upgrade cannot be performed immediately, use a custom snipet or security plugin to enforce a capability check on the AJAX handler, allowing only administrators (current_user_can('manage_options')) to access the endpoint.
  • Keep WordPress core and WooCommerce components updated to the latest releases, ensuring a robust security baseline.
  • Optionally, temporarily reduce the capabilities of Subscriber roles via a role‑editor plugin so that they cannot invoke the vulnerable endpoint until a patch is available.

Generated by OpenCVE AI on April 22, 2026 at 11:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Fahadmahmood
Fahadmahmood order Splitter For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Fahadmahmood
Fahadmahmood order Splitter For Woocommerce
Wordpress
Wordpress wordpress

Wed, 18 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wos_troubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view information pertaining to other user's orders.
Title Order Splitter for WooCommerce <= 5.3.5 - Missing Authorization to Authenticated (Subscriber+) Order Information Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Fahadmahmood Order Splitter For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:04.155Z

Reserved: 2025-10-22T14:21:11.127Z

Link: CVE-2025-12075

cve-icon Vulnrichment

Updated: 2026-02-18T20:46:40.256Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T05:16:17.140

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12075

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses