CVE-2025-68018
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-22

Last updated on: 2026-04-01

Assigner: Patchstack

Description
Missing Authorization vulnerability in StackWC Order Listener for WooCommerce woc-order-alert allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Listener for WooCommerce: from n/a through <= 3.6.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68018
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ilmosys woc-order-alert From 3.0.0 (inc) to 3.6.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2025-68018 is a high-priority Broken Access Control vulnerability in the WordPress Order Listener for WooCommerce Plugin (versions up to 3.6.1). It is caused by missing authorization, authentication, or nonce token checks in certain functions, which allows unauthenticated users to perform actions that should require higher privileges. This means attackers can exploit incorrectly configured access control to gain unauthorized access or perform unauthorized actions within the plugin. [1]

Impact Analysis

This vulnerability can have a severe impact as it allows unauthenticated users to perform privileged actions, potentially leading to unauthorized access, data manipulation, or disruption of order processing in WooCommerce. Given its high CVSS score of 9.4, it is highly dangerous and likely to be exploited, which could compromise the security and integrity of your e-commerce platform. [1]

Mitigation Strategies

Immediate mitigation involves applying the Patchstack mitigation rule that blocks all legitimate and illegitimate requests related to this vulnerability to cover all attack scenarios until an official patch is released. This mitigation can be applied automatically via Patchstack’s platform to protect affected websites. Users are strongly advised to implement this mitigation immediately to prevent exploitation. [1]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or unauthenticated requests attempting to access or perform privileged actions on the Order Listener for WooCommerce Plugin (woc-order-alert) versions up to 3.6.1. Since the issue involves missing authorization checks, detection involves identifying suspicious HTTP requests targeting the plugin's endpoints without proper authentication. Patchstack provides a mitigation rule that blocks all legitimate and illegitimate requests related to this vulnerability, which can be used to detect and prevent exploitation. Specific commands are not provided in the available resources, but network monitoring tools or web application firewalls configured with Patchstack's mitigation rules can help detect attempts to exploit this vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68018. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart