CVE-2025-1284
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to view other users' invoices and orders containing sensitive information. It affects the Woocommerce Automatic Order Printing plugin due to missing validation on user-controlled parameters in the xc_woo_printer_preview AJAX action.
💻 Affected Systems
- Woocommerce Automatic Order Printing (Formerly WooCommerce Google Cloud Print)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access all customer invoices and orders, exposing personally identifiable information (PII), payment details, and business transaction data, potentially leading to data breaches and regulatory violations.
Likely Case
Authenticated users with minimal privileges can view other users' order history and invoice details, compromising customer privacy and potentially enabling social engineering or targeted attacks.
If Mitigated
With proper access controls and validation, only authorized users can access their own invoices, maintaining data confidentiality and compliance with privacy regulations.
🎯 Exploit Status
Exploitation requires authenticated access (Subscriber-level or higher). The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.2 or later
Vendor Advisory: https://codecanyon.net/item/woocommerce-google-cloud-print/21129093
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Woocommerce Automatic Order Printing'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 4.2+ from CodeCanyon and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the xc_woo_printer_preview AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_xc_woo_printer_preview', 'xc_woo_printer_preview'); remove_action('wp_ajax_nopriv_xc_woo_printer_preview', 'xc_woo_printer_preview');
Temporary plugin deactivation
linuxDisable the plugin until patched
wp plugin deactivate woocommerce-google-cloud-print
🧯 If You Can't Patch
- Implement strict access controls to limit authenticated user permissions
- Monitor and audit access to invoice and order viewing functionality
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 4.1 or earlier, the system is vulnerable.Check Version:
wp plugin get woocommerce-google-cloud-print --field=versionVerify Fix Applied:
Confirm plugin version is 4.2 or higher. Test authenticated user access to other users' invoices should be denied.📡 Detection & Monitoring
Log Indicators:
- Multiple AJAX requests to admin-ajax.php with action=xc_woo_printer_preview from same user
- Unusual access patterns to invoice/order endpoints from non-admin users
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=xc_woo_printer_preview parameter
SIEM Query:
source="wordpress" AND url="/wp-admin/admin-ajax.php" AND post_data="action=xc_woo_printer_preview"