vulnerability
WordPress Plugin: live-sales-notifications-for-woocommerce: CVE-2025-12955: Missing Authorization
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:C/I:N/A:N) | Nov 17, 2025 | Nov 18, 2025 | Nov 19, 2025 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:C/I:N/A:N)
Published
Nov 17, 2025
Added
Nov 18, 2025
Modified
Nov 19, 2025
Description
The Live sales notification for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.39. This is due to the "getOrders" function lacking proper authorization and capability checks when the plugin is configured to display recent order information. This makes it possible for unauthenticated attackers to extract sensitive customer information including buyer first names, city, state, country, purchase time and date, and product details.
Solution
live-sales-notifications-for-woocommerce-plugin-cve-2025-12955
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.