vulnerability
WordPress Plugin: admin-and-client-message-after-order-for-woocommerce: CVE-2025-13452: Authorization Bypass Through User-Controlled Key
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:L/Au:S/C:N/I:P/A:N) | Nov 24, 2025 | Jan 16, 2026 | Jan 16, 2026 |
Severity
4
CVSS
(AV:N/AC:L/Au:S/C:N/I:P/A:N)
Published
Nov 24, 2025
Added
Jan 16, 2026
Modified
Jan 16, 2026
Description
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters.
Solution
admin-and-client-message-after-order-for-woocommerce-plugin-cve-2025-13452
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.