CVE-2025-15033
Unknown Unknown - Not Provided
Unauthorized Access Vulnerability in WooCommerce Orders

Publication date: 2025-12-22

Last updated on: 2025-12-23

Assigner: WPScan

Description
A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-22
Last Modified
2025-12-23
Generated
2026-06-16
AI Q&A
2025-12-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15033
EUVD
EUVD-2025-204744
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
woocommerce woocommerce 8.1
woocommerce woocommerce 10.4.3
woocommerce woocommerce 10.4.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects WooCommerce versions 8.1 through 10.4.2 and allows logged-in customers to access order data belonging to guest customers on sites with a specific configuration. It is a sensitive data disclosure issue related to WooCommerce's Store API and its handling of order data permissions. The vulnerability has been fixed starting from WooCommerce version 8.1.3 and in all subsequent point releases up to 10.4.3. [1]

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive order data of guest customers to logged-in customers. This could result in privacy breaches and exposure of personal or transactional information, potentially harming customer trust and the reputation of the affected site. [1]

Mitigation Strategies

To mitigate this vulnerability, immediately update WooCommerce to version 8.1.3 or later, ideally to the latest version 10.4.3 or above, as these versions contain the fix for the vulnerability. Avoid using affected versions between 8.1 and 10.4.2. Additionally, review your site configuration related to the WooCommerce Store API permissions to ensure no unauthorized access to guest customer order data is possible. [1]

Compliance Impact

This vulnerability allows logged-in customers to access order data of guest customers, leading to sensitive data disclosure. Such unauthorized exposure of personal data can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to protect user privacy and confidentiality. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15033. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart