CVE-2025-12955

Live sales notification for WooCommerce <= 2.3.39 - Missing Authorization to Unauthenticated Customer Data Exposure

CVSS 7.5 HIGHEPSS 0.3%CWE-862

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 7.5EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

18 nov 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

The Live sales notification for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.39. This is due to the "getOrders" function lacking proper authorization and capability checks when the plugin is configured to display recent order information. This makes it possible for unauthenticated attackers to extract sensitive customer information including buyer first names, city, state, country, purchase time and date, and product details.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Productos afectados

rajeshsingh520 · PiWeb Live sales notification for WooCommerce

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394241%40live-sales-notifications-for-woocommerce&old=3389540%40live-sales-notifications-for-woocommerce&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/1cebcf16-ae7f-45c4-8e1d-80ede4c32106?source=cve