CVE-2025-15033
📋 TL;DR
A vulnerability in WooCommerce allows logged-in customers to access guest customer order data on sites with specific configurations. This affects WooCommerce versions 8.1 through 10.4.2. The issue has been fixed in WooCommerce 10.4.3 and backported to affected versions starting with 8.1.3.
💻 Affected Systems
- WooCommerce
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Logged-in customers could access sensitive guest customer data including names, addresses, email addresses, and potentially payment information, leading to privacy violations and potential identity theft.
Likely Case
Logged-in customers accessing limited guest order information, potentially violating privacy regulations like GDPR or CCPA.
If Mitigated
Minimal impact if proper access controls and monitoring are in place to detect unauthorized data access attempts.
🎯 Exploit Status
Requires authenticated customer access and specific site configuration. No public exploit code identified at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.4.3 (or 8.1.3, 8.2.3, 8.3.3, 8.4.3, 8.5.3, 8.6.3, 8.7.3, 8.8.3, 8.9.3, 9.0.3, 9.1.3, 9.2.3, 9.3.3, 9.4.3, 10.0.3, 10.1.3, 10.2.3, 10.3.3)
Vendor Advisory: https://wpscan.com/vulnerability/f55fd7d3-7fbe-474f-9406-f47f8aee5e57/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WooCommerce and update to version 10.4.3 or later. 4. For older versions, update to the corresponding patched version (e.g., 8.1.3 for 8.1). 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable guest checkout
allForce all customers to create accounts before placing orders, eliminating guest order data exposure.
Restrict customer role permissions
allReview and limit what data customer roles can access through WordPress user role management.
🧯 If You Can't Patch
- Implement strict access logging and monitoring for customer data access patterns
- Consider temporarily disabling customer account functionality until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check WooCommerce version in WordPress admin under Plugins > Installed Plugins. If version is between 8.1 and 10.4.2 inclusive, you are vulnerable.Check Version:
wp plugin list --name=woocommerce --field=versionVerify Fix Applied:
After updating, verify WooCommerce version shows 10.4.3 or later, or the appropriate patched version for your release line.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns of order data access by customer accounts
- Multiple failed attempts to access order endpoints
- Customer accounts accessing orders not associated with their account
Network Indicators:
- Increased API calls to order endpoints from customer accounts
- Patterns of data exfiltration from order management endpoints
SIEM Query:
source="wordpress" AND (event="order_access" OR event="data_access") AND user_role="customer" AND result="success" | stats count by user_id, order_id