Description
Missing Authorization vulnerability in tychesoftwares Custom Order Numbers for WooCommerce custom-order-numbers-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom Order Numbers for WooCommerce: from n/a through <= 1.11.0.
Published: 2025-11-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in tychesoftwares Custom Order Numbers for WooCommerce results from missing authorization checks that allow unauthorized users to exercise functions reserved for privileged roles. This broken access control flaw enables an attacker to manipulate or access order numbering features that should be restricted to administrators or trusted personnel. The weakness is identified as CWE‑862, where improper enforcement of access controls can compromise the confidentiality, integrity, or availability of the affected system.

Affected Systems

WordPress sites running the Custom Order Numbers for WooCommerce plugin version 1.11.0 or earlier. The affected product is provided by the vendor tychesoftwares and the vulnerability covers all releases up to and including 1.11.0.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity. The EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is remote via web requests that target privileged plugin endpoints (e.g., AJAX or REST API calls). An attacker who can send crafted requests may bypass role checks and gain unauthorized control over order numbers.

Generated by OpenCVE AI on April 29, 2026 at 11:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available version of the Custom Order Numbers for WooCommerce plugin that addresses this flaw.
  • If a patch is not yet released, deactivate or uninstall the plugin until an updated version is available to eliminate the vulnerability.
  • Review the plugin’s role‑based access settings and enforce that only authorized administrators can modify order numbers or access privileged functionality.

Generated by OpenCVE AI on April 29, 2026 at 11:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 24 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Tychesoftwares
Tychesoftwares custom Order Numbers For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Tychesoftwares
Tychesoftwares custom Order Numbers For Woocommerce
Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in tychesoftwares Custom Order Numbers for WooCommerce custom-order-numbers-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom Order Numbers for WooCommerce: from n/a through <= 1.11.0.
Title WordPress Custom Order Numbers for WooCommerce plugin <= 1.11.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Tychesoftwares Custom Order Numbers For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:06:30.520Z

Reserved: 2025-11-21T11:20:46.956Z

Link: CVE-2025-66071

cve-icon Vulnrichment

Updated: 2025-11-21T21:51:06.484Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T13:15:48.090

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-66071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:45:10Z

Weaknesses