{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-5816", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-06T16:32:21.917Z", "datePublished": "2025-07-18T04:23:01.362Z", "dateUpdated": "2025-07-18T13:53:42.530Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-07-18T04:23:01.362Z"}, "affected": [{"vendor": "biteship", "product": "Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo \u2013 Biteship", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "3.2.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo \u2013 Biteship plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.0 via the get_order_detail() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's orders."}], "title": "Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo \u2013 Biteship <= 3.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) View Order Tracking Details", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48509d43-57bb-452c-b39b-905354a273f3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/biteship/trunk/public/class-biteship-public.php#L327"}, {"url": "https://plugins.trac.wordpress.org/browser/biteship/trunk/includes/class-biteship.php#L515"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "ch4r0n"}], "timeline": [{"time": "2025-07-17T16:22:18.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-18T13:53:35.761080Z", "id": "CVE-2025-5816", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-18T13:53:42.530Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5816", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-18T13:53:35.761080Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-18T13:53:39.563Z"}}], "cna": {"title": "Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo \u2013 Biteship <= 3.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) View Order Tracking Details", "credits": [{"lang": "en", "type": "finder", "value": "ch4r0n"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "biteship", "product": "Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo \u2013 Biteship", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.2.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-17T16:22:18.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48509d43-57bb-452c-b39b-905354a273f3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/biteship/trunk/public/class-biteship-public.php#L327"}, {"url": "https://plugins.trac.wordpress.org/browser/biteship/trunk/includes/class-biteship.php#L515"}], "descriptions": [{"lang": "en", "value": "The Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo \u2013 Biteship plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.0 via the get_order_detail() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's orders."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-07-18T04:23:01.362Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5816", "state": "PUBLISHED", "dateUpdated": "2025-07-18T13:53:42.530Z", "dateReserved": "2025-06-06T16:32:21.917Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-18T04:23:01.362Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo \u2013 Biteship plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.0 via the get_order_detail() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's orders."}, {"lang": "es", "value": "El complemento Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo \u2013 Biteship para WordPress es vulnerable a una Referencia Directa a Objetos Insegura en todas las versiones hasta la 3.2.0 incluida a trav\u00e9s de get_order_detail() debido a la falta de validaci\u00f3n en una clave controlada por el usuario. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, vean los pedidos de otros usuarios."}], "id": "CVE-2025-5816", "lastModified": "2025-07-22T13:06:27.983", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-07-18T05:15:31.547", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/biteship/trunk/includes/class-biteship.php#L515"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/biteship/trunk/public/class-biteship-public.php#L327"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48509d43-57bb-452c-b39b-905354a273f3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{}