vulnerability
WordPress Plugin: admin-and-client-message-after-order-for-woocommerce: CVE-2025-13389: Authorization Bypass Through User-Controlled Key
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:P/I:N/A:N) | Nov 24, 2025 | Jan 19, 2026 | Jan 19, 2026 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
Nov 24, 2025
Added
Jan 19, 2026
Modified
Jan 19, 2026
Description
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID.
Solution
admin-and-client-message-after-order-for-woocommerce-plugin-cve-2025-13389
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.