Login Sign Up

CVE-2025-13452

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into WooCommerce order conversations. It affects all WordPress sites using the Admin and Customer Messages After Order for WooCommerce plugin version 14 and below. Attackers can manipulate order communications without proper authorization.

💻 Affected Systems

Products:
  • Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin
Versions: All versions up to and including 14
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all WordPress installations with the vulnerable plugin enabled. No special configuration required.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could inject malicious content, impersonate administrators to issue fraudulent instructions, or disrupt business communications leading to financial loss and reputational damage.

🟠

Likely Case

Attackers inject spam, phishing links, or misleading messages into order conversations, potentially tricking customers or administrators into taking harmful actions.

🟢

If Mitigated

With proper network controls and monitoring, impact is limited to message injection without escalation to other system components.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires direct HTTP requests to the vulnerable REST endpoint with controlled parameters. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 15 or higher

Vendor Advisory: https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Admin and Customer Messages After Order for WooCommerce'. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 15+ from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable REST endpoint

all

Remove or restrict access to the vulnerable REST API endpoint

Add to wp-config.php: define('DISABLE_WP_REST_API', true);

Web Application Firewall rule

all

Block requests to the vulnerable endpoint

WAF rule to block: POST /wp-json/orderconvo/v1/messages

🧯 If You Can't Patch

  • Disable the plugin completely until patched
  • Implement strict network ACLs to restrict access to WordPress REST API endpoints

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin panel under Plugins > Installed Plugins. If version is 14 or lower, you are vulnerable.

Check Version:

wp plugin list --name='admin-and-client-message-after-order-for-woocommerce' --field=version

Verify Fix Applied:

After update, verify plugin version shows 15 or higher. Test by attempting unauthorized REST API calls to confirm they now fail.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /wp-json/orderconvo/v1/messages from unauthenticated IPs
  • Messages in WooCommerce orders from unexpected users or containing suspicious content

Network Indicators:

  • HTTP POST requests to WordPress REST API orderconvo endpoint without authentication headers

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-json/orderconvo/v1/messages" AND http_method="POST" AND user_id="-")

📊 Metadata

CVE ID: CVE-2025-13452
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-639
EPSS Score: 0.1% exploit probability (26.7th percentile)
Published: November 25, 2025
Last Updated: November 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13452, you might also want to check these:

CVE-2025-40805 10.0

This critical vulnerability allows unauthenticated remote attackers to bypass authentication on spec...

Same vulnerability type (CWE-639)
CVE-2024-45032 10.0

This critical vulnerability allows unauthenticated remote attackers to impersonate legitimate device...

Same vulnerability type (CWE-639)
CVE-2025-0987 9.9

CVE-2025-0987 is an authorization bypass vulnerability in CB Project Ltd. Co. CVLand software that a...

Same vulnerability type (CWE-639)