CVE-2025-13452 in Admin and Customer Messages after Order for WooCommerce Plugin
Summary
by MITRE • 11/25/2025
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/25/2025
The vulnerability identified as CVE-2025-13452 affects the OrderConvo plugin for WordPress, specifically targeting the Admin and Customer Messages After Order functionality. This plugin integrates with WooCommerce to facilitate communication between administrators and customers regarding specific orders. The flaw resides in the plugin's REST API implementation where proper authorization checks have been omitted, creating a critical security gap that can be exploited by unauthorized parties.
The technical implementation of this vulnerability stems from a flawed permission callback within the plugin's REST API endpoints. According to CWE-863, this represents a "Incorrect Authorization" vulnerability where the system fails to properly verify that an authenticated user has the necessary permissions to perform the requested operation. The permission check logic returns a positive authorization result when no authentication nonce is provided, effectively bypassing the authentication mechanism entirely. This design flaw allows attackers to directly manipulate the REST API endpoint without proper user credentials or session validation.
The operational impact of this vulnerability is significant as it enables unauthenticated attackers to completely compromise the order messaging system. An attacker can impersonate any WordPress user within the system by simply providing a valid user_id parameter in their API request, regardless of their actual authentication status. This unauthorized access extends to injecting arbitrary messages into any WooCommerce order conversation, potentially leading to misinformation, fraud, or disruption of legitimate business operations. The vulnerability affects all versions up to and including 14, indicating a widespread exposure across multiple plugin releases.
The attack vector for this vulnerability is straightforward and requires minimal technical expertise to exploit. An attacker only needs to make direct calls to the affected REST endpoint with properly constructed parameters including user_id, order_id, and context. This approach aligns with ATT&CK technique T1078.004 which covers "Valid Accounts: Cloud Accounts" and demonstrates how missing authorization checks can enable privilege escalation. The vulnerability essentially allows attackers to perform actions that should require administrative privileges, making it particularly dangerous for e-commerce environments where order integrity and customer communication are critical.
Organizations using the affected plugin should immediately implement mitigations including updating to the latest version where the authorization flaw has been patched, implementing additional access controls at the web server level, and monitoring REST API access logs for suspicious activity. The patch should address the specific permission callback logic to ensure proper authentication verification before allowing any API operations to proceed. Additionally, administrators should consider implementing rate limiting and additional monitoring mechanisms to detect potential exploitation attempts. This vulnerability highlights the importance of proper authorization checking in REST API implementations and serves as a reminder that even seemingly minor permission flaws can lead to significant security breaches in e-commerce systems.