CVE-2025-13389 in Admin and Customer Messages after Order for WooCommerce Plugin
Summary
by MITRE • 11/25/2025
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/25/2025
The vulnerability identified as CVE-2025-13389 affects the OrderConvo plugin for WooCommerce, a widely used WordPress extension that facilitates communication between administrators and customers regarding orders. This plugin enables the creation of private messaging systems within WooCommerce stores, allowing customers to communicate with administrators about their orders while maintaining confidentiality. The security flaw exists in the plugin's handling of order data retrieval functions, specifically the `get_order_by_id()` method that lacks proper authorization checks. This critical oversight allows attackers to bypass normal access controls and retrieve sensitive order information without proper authentication. The vulnerability impacts all versions of the plugin up to and including version 14, making it a widespread concern for WooCommerce store owners who have not updated their installations.
The technical implementation of this vulnerability stems from a missing capability check within the plugin's API endpoint handling. When an attacker calls the `get_order_by_id()` function, the system fails to verify whether the requesting user has proper authorization to access the specified order data. This flaw aligns with CWE-284, which describes improper access control vulnerabilities where insufficient checks allow unauthorized users to access protected resources. The vulnerability operates at the application layer and can be exploited through direct API calls or by crafting malicious requests that target the plugin's order retrieval functionality. Attackers need only know or guess a valid WooCommerce order ID to exploit this weakness, making it particularly dangerous as it requires minimal reconnaissance to identify vulnerable systems.
The operational impact of this vulnerability extends beyond simple data exposure, creating significant risks for e-commerce businesses and their customers. Unauthenticated attackers can access complete order details including customer names, shipping addresses, billing information, product purchases, order totals, and private conversation messages between customers and administrators. This exposure violates privacy standards and could lead to identity theft, fraud, and loss of customer trust. The vulnerability affects the confidentiality aspect of the CIA triad, as it allows unauthorized disclosure of sensitive business and customer information. Additionally, the exposure of private conversations between customers and administrators may reveal business strategies, customer service issues, or internal communications that could be exploited for competitive advantage or social engineering attacks. The attack surface is particularly concerning given that WooCommerce is one of the most popular e-commerce platforms, increasing the potential impact of this vulnerability across numerous online businesses.
Mitigation strategies for this vulnerability should prioritize immediate plugin updates to the latest version where the capability check has been implemented. System administrators should also implement network-level restrictions to limit access to the plugin's API endpoints and consider implementing additional authentication layers. According to ATT&CK framework tactic TA0001 (Initial Access) and technique T1190 (Exploit Public-Facing Application), this vulnerability represents a common attack vector that exploits publicly accessible web applications. Organizations should conduct thorough vulnerability assessments of their WordPress installations to identify other potentially affected plugins and ensure proper access controls are in place. Regular security monitoring and log analysis can help detect unauthorized access attempts, while implementing web application firewalls may provide additional protection against exploitation attempts. The vulnerability underscores the importance of proper input validation and capability checks in web applications, particularly when handling sensitive customer data, and reinforces the need for regular security updates and patch management processes.