CVE-2025-13452 in Admin and Customer Messages after Order for WooCommerce Plugin情報

要約

〜によって MITRE • 2025年11月25日

The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

公開

2025年11月25日

モデレーション

承諾済み

エントリ

VDB-333461

CPE

準備完了

CWE

CWE-862 (確認済み)

CVSS

4.3 (CNA)

EPSS

0.00145

KEV

いいえ

アクティビティ

非常低い

セクター

Hostingprovider, Telecommunication, ...

ソース

MITRE	https://www.cve.org/CVERecord?id=CVE-2025-13452
NVD	https://nvd.nist.gov/vuln/detail/CVE-2025-13452
CVE Details	https://www.cvedetails.com/cve/CVE-2025-13452/

◂ 前概要次 ▸

Interested in the pricing of exploits?

See the underground prices here!