Executive Summary

The WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress has a vulnerability in all versions up to and including 1.0.1. This vulnerability allows unauthenticated attackers to access sensitive customer information by exploiting the yapacdev_generate_order_pdf function.

Attackers can enumerate sequential order IDs to download invoice HTML files containing personal and order details such as full name, email address, phone number, billing address, ordered items with quantities and prices, applied coupons, shipping method, and order total.

These invoice files are stored in a publicly accessible directory (wp-content/uploads/whatsorder_invoices/) without any access restrictions like .htaccess deny rules or index.php guards, making them directly downloadable over HTTP without authentication.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive customer personally identifiable information (PII) and order details.

• Exposure of full names, email addresses, phone numbers, and billing addresses.
• Disclosure of order details including items ordered, quantities, prices, applied coupons, shipping methods, and order totals.

Such exposure can result in privacy violations, identity theft risks, and loss of customer trust.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the publicly accessible directory wp-content/uploads/whatsorder_invoices/ exists and contains invoice HTML files that can be accessed without authentication.

You can attempt to enumerate sequential order IDs by accessing URLs like http://yourdomain.com/wp-content/uploads/whatsorder_invoices/{order_id}.html to see if invoice files are downloadable.

A simple command to test this could be using curl or wget to try to download invoice files by iterating over order IDs.

• curl -I http://yourdomain.com/wp-content/uploads/whatsorder_invoices/1.html
• curl -I http://yourdomain.com/wp-content/uploads/whatsorder_invoices/2.html
• for i in {1..100}; do curl -I http://yourdomain.com/wp-content/uploads/whatsorder_invoices/$i.html; done

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting public access to the wp-content/uploads/whatsorder_invoices/ directory by adding an .htaccess deny rule or placing an index.php guard to prevent direct HTTP access to invoice files.

Additionally, updating the WhatsOrder plugin to a version later than 1.0.1, if available, or disabling the plugin until a patch is released will help prevent exploitation.

Reviewing and limiting the exposure of sensitive customer information in publicly accessible locations is critical.

Useful 0 Not Useful 0