Description
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID.
Published: 2025-11-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure – Unauthenticated Access to Order Details
Action: Apply Update
AI Analysis

Impact

The vulnerability in the Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin originates from a missing capability check in the get_order_by_id() function. This oversight allows attackers who do not have administrative privileges to call a REST endpoint and retrieve sensitive WooCommerce order information and private conversation messages between customers and administrators. The flaw is a classic authorization bypass (CWE‑639) and its impact is the exposure of confidential order data to unauthenticated actors.

Affected Systems

Any WordPress site running the Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin at version 14 or earlier is affected. The vulnerability exists in all versions up to and including 14 of the plugin and impacts sites that use WooCommerce to manage orders. Sites that have upgraded beyond version 14 are not covered by this issue.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score of less than 1% suggests that, at the time of this assessment, exploit activity for this vulnerability is expected to be low. The vulnerability is not listed in the CISA KEV catalog. Attackers would typically send an unauthenticated HTTP request to the plugin’s REST API, supplying any order ID to retrieve order details and private conversation messages. No special credentials or additional access are required to exploit the flaw.

Generated by OpenCVE AI on April 21, 2026 at 17:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Plugin to version 15 or later which includes the missing capability check on get_order_by_id()
  • If an upgrade is not immediately possible, restrict access to the plugin’s REST endpoints using a web‑application firewall or host‑based rule to allow only authenticated users to invoke them
  • Regularly review WooCommerce order logs and implement monitoring to detect unauthorized access attempts and identify any compromised order data

Generated by OpenCVE AI on April 21, 2026 at 17:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Thu, 27 Nov 2025 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Tue, 25 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Nov 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID.
Title Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated Information Disclosure
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:12.024Z

Reserved: 2025-11-18T21:12:44.956Z

Link: CVE-2025-13389

cve-icon Vulnrichment

Updated: 2025-11-25T14:57:13.699Z

cve-icon NVD

Status : Deferred

Published: 2025-11-25T08:15:51.010

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13389

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:00:11Z

Weaknesses