Description
The WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the yapacdev_generate_order_pdf. This makes it possible for unauthenticated attackers to extract sensitive customer PII and order details — including full name, email address, phone number, billing address, ordered items with quantities and prices, applied coupons, shipping method, and order total — from any customer's invoice by enumerating sequential order IDs. Invoice HTML files are written to the publicly accessible wp-content/uploads/whatsorder_invoices/ directory, which is created without an .htaccess deny rule or index.php guard, making every invoice directly downloadable over HTTP with no authentication check.
Published: 2026-06-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WhatsOrder – Instant Checkout for WooCommerce plugin allows unauthenticated attackers to access customer invoices that contain personally identifiable information, such as names, email addresses, phone numbers, billing addresses, purchase details, coupons, shipping methods, and totals. By enumerating sequential order identifiers the attacker can download the invoice HTML files that are saved to wp-content/uploads/whatsorder_invoices/, which is publicly accessible because the directory lacks security controls. The exposed data can be used for phishing, fraud, or identity theft.

Affected Systems

The vulnerability affects the Yapacdev WhatsOrder plugin for WooCommerce in all released versions up to and including 1.0.1. WordPress sites that have this plugin installed and use the default invoice generation path are at risk. No specific operating system or PHP version constraints are stated.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate severity, mainly due to the absence of authentication requirements. Because the attack vector is via simple HTTP requests to publicly accessible URLs, the likelihood of exploitation is considerable for any site exposing the invoices. EPSS is not available, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. An attacker does not need local credentials and can enumerate order IDs to trigger the flaw. The consequence is total loss of confidential customer data and potential regulatory non‑compliance.

Generated by OpenCVE AI on June 24, 2026 at 09:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WhatsOrder plugin to the latest release (version > 1.0.1) which removes the public writeable invoices directory or implements proper access checks.
  • If an update is not immediately possible, isolate the invoices directory by adding an .htaccess rule that denies all external access or by moving the files outside of the web root.
  • Modify the invoice generation flow to serve PDFs through a controlled endpoint that validates user authentication and authorization before delivering the file.

Generated by OpenCVE AI on June 24, 2026 at 09:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the yapacdev_generate_order_pdf. This makes it possible for unauthenticated attackers to extract sensitive customer PII and order details — including full name, email address, phone number, billing address, ordered items with quantities and prices, applied coupons, shipping method, and order total — from any customer's invoice by enumerating sequential order IDs. Invoice HTML files are written to the publicly accessible wp-content/uploads/whatsorder_invoices/ directory, which is created without an .htaccess deny rule or index.php guard, making every invoice directly downloadable over HTTP with no authentication check.
Title WhatsOrder <= 1.0.1 - Unauthenticated Sensitive Information Exposure via Predictable Invoice File URLs
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T12:19:28.494Z

Reserved: 2026-05-26T16:28:53.424Z

Link: CVE-2026-9612

cve-icon Vulnrichment

Updated: 2026-06-24T12:19:16.412Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:15:06Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor