CVE-2025-13389 – The WooCommerce OrderConvo plugin has an author... (How to Fix)

Q: What is the severity of CVE-2025-13389?

CVE-2025-13389 has a CVSS score of 5.3 (MEDIUM). The WooCommerce OrderConvo plugin has an authorization bypass vulnerability that allows unauthenticated attackers to view sensitive order details and private customer-admin conversations by manipulating order IDs. This affects all WordPress sites using the plugin version 14 or earlier. Attackers can access confidential customer data without any authentication.

📋 TL;DR

The WooCommerce OrderConvo plugin has an authorization bypass vulnerability that allows unauthenticated attackers to view sensitive order details and private customer-admin conversations by manipulating order IDs. This affects all WordPress sites using the plugin version 14 or earlier. Attackers can access confidential customer data without any authentication.

💻 Affected Systems

Products:

Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin

Versions: All versions up to and including 14

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any WordPress installation with the vulnerable plugin activated. No special configuration required.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass data exfiltration of all WooCommerce order data including customer PII, payment details, and private conversations, leading to regulatory violations and reputational damage.

🟠

Likely Case

Targeted data harvesting of customer information and business communications, potentially used for phishing, fraud, or competitive intelligence gathering.

🟢

If Mitigated

Limited exposure if plugin is disabled or network access is restricted, though the vulnerability remains present in the codebase.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable without authentication and affects publicly accessible WordPress REST API endpoints.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could still exploit this, but requires some level of network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests to the vulnerable REST endpoint with manipulated order IDs. No authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 15 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Admin and Customer Messages After Order for WooCommerce: OrderConvo'. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and remove the plugin immediately.

🔧 Temporary Workarounds

Disable vulnerable REST endpoint

all

Remove or restrict access to the vulnerable wprest.class.php endpoint

# Add to wp-config.php:
define('DISABLE_WP_REST_API', true);
# Or use .htaccess to block specific endpoint:
RewriteRule ^wp-json/orderconvo/.*$ - [F,L]

Deactivate plugin

all

Immediately disable the vulnerable plugin

wp plugin deactivate admin-and-client-message-after-order-for-woocommerce
# Or via WordPress admin: Plugins → Installed Plugins → Deactivate

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block requests to /wp-json/orderconvo/* endpoints
Restrict access to WordPress REST API endpoints using IP whitelisting or authentication requirements

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for 'Admin and Customer Messages After Order for WooCommerce: OrderConvo' version 14 or earlier.

Check Version:

wp plugin list --name='admin-and-client-message-after-order-for-woocommerce' --field=version

Verify Fix Applied:

Verify plugin version is 15 or later, or confirm plugin is deactivated/removed. Test REST endpoint access with unauthenticated requests.

📡 Detection & Monitoring

Log Indicators:

Unusual volume of GET requests to /wp-json/orderconvo/* endpoints
401/403 errors followed by successful 200 responses to order endpoints
Requests with sequential or unusual order ID patterns

Network Indicators:

Unauthenticated HTTP requests to WordPress REST API order endpoints
Traffic patterns showing enumeration of order IDs

SIEM Query:

source="web_logs" AND (uri_path="/wp-json/orderconvo/*" OR user_agent="*" AND response_code=200 AND uri_path CONTAINS "orderconvo") AND auth_status="unauthenticated"

📊 Metadata

CVE ID: CVE-2025-13389

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-639

EPSS Score: 0.06% exploit probability (17th percentile)

Published: November 25, 2025

Last Updated: November 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13389, you might also want to check these: