CVE-2025-13452 in Admin and Customer Messages after Order for WooCommerce Plugininformação

Sumário

de MITRE • 25/11/2025

The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Divulgação

25/11/2025

Moderação

aceite

Entrada

VDB-333461

CPE

pronto

CWE

CWE-862 (confirmado)

CVSS

4.3 (CNA)

EPSS

0.00145

KEV

não

Atividades

muito baixo

Sector

Telecommunication, Transportation, ...

Fontes

MITRE	https://www.cve.org/CVERecord?id=CVE-2025-13452
NVD	https://nvd.nist.gov/vuln/detail/CVE-2025-13452
CVE Details	https://www.cvedetails.com/cve/CVE-2025-13452/

◂ Voltar Visão Geral Próximo ▸

Interested in the pricing of exploits?

See the underground prices here!