CVE-2025-12955
BaseFortify
Publication date: 2025-11-18
Last updated on: 2025-11-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| woocommerce | woocommerce | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Live sales notification for WooCommerce plugin for WordPress is due to a missing authorization check in the 'getOrders' function. This flaw allows unauthenticated attackers to access recent order information without proper permission, exposing sensitive customer details such as buyer first names, city, state, country, purchase time and date, and product details.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive customer information. Attackers can extract personal details and purchase data, which could result in privacy violations, identity theft, or targeted attacks against customers. It may also damage the reputation of the affected business and erode customer trust.