Overview
A critical vulnerability, identified as CVE-2025-12955, has been discovered in the Live Sales Notifications for WooCommerce plugin for WordPress. This vulnerability allows unauthenticated attackers to access sensitive customer information due to a missing authorization check in the `getOrders` function. All versions up to and including 2.3.39 are affected. If you use this plugin, it is critical that you update to the latest version as soon as possible.
Technical Details
The vulnerability lies in the `getOrders` function of the plugin, which is responsible for retrieving recent order data to display in the live sales notifications. The plugin lacks proper authorization and capability checks within this function. This means that anyone, even an unauthenticated user, can send a request to this function and receive sensitive data. The exposed data includes:
- Buyer first names
- City
- State
- Country
- Purchase time and date
- Product details
The lack of authorization allows attackers to bypass intended security measures and directly access this information. The vulnerable code is located within the plugin files and can be triggered without requiring any specific user privileges.
CVSS Analysis
This vulnerability has been assigned a CVSS score of 7.5 (HIGH). This score reflects the high impact of the vulnerability due to the potential for sensitive data exposure. The CVSS vector typically looks similar to AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating:
- AV:N (Network): The vulnerability is exploitable over the network.
- AC:L (Low): The attack complexity is low.
- PR:N (None): No privileges are required to exploit the vulnerability.
- UI:N (None): No user interaction is required.
- S:U (Unchanged): The security impact is limited to the affected component.
- C:H (High): There is a high impact to confidentiality.
- I:N (None): There is no impact to integrity.
- A:N (None): There is no impact to availability.
Possible Impact
The exposure of customer data can have serious consequences, including:
- Privacy violations: Unauthorized access to personal information is a direct violation of customer privacy.
- Reputational damage: A data breach can significantly damage the reputation of your online store.
- Legal and regulatory consequences: Depending on your location and the data exposed, you may face legal action and fines for failing to protect customer data (e.g., GDPR violations).
- Phishing and social engineering attacks: The exposed data can be used to craft more convincing phishing emails or social engineering attacks targeting your customers.
Mitigation and Patch Steps
The primary mitigation step is to immediately update the Live Sales Notifications for WooCommerce plugin to the latest version. The vulnerability has been patched in versions released after 2.3.39.
- Update the Plugin: Log in to your WordPress admin dashboard. Navigate to “Plugins” and locate “Live Sales Notifications for WooCommerce.” Click the “Update Now” button if an update is available. If an update is not available, you may need to delete the plugin and reinstall the latest version from the WordPress repository.
- Verify Update: After updating, verify that the plugin version is higher than 2.3.39.
- Monitor Logs: Monitor your website’s logs for any suspicious activity or attempts to access the `getOrders` function.
- Consider a WAF: If immediate patching isn’t possible, consider implementing a Web Application Firewall (WAF) rule to block unauthorized access to the `getOrders` function. This is a temporary measure and should not replace updating the plugin.
References
- WordPress Plugin Changeset: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394241%40live-sales-notifications-for-woocommerce&old=3389540%40live-sales-notifications-for-woocommerce&sfp_email=&sfph_mail=
- Wordfence Threat Intelligence: https://www.wordfence.com/threat-intel/vulnerabilities/id/1cebcf16-ae7f-45c4-8e1d-80ede4c32106?source=cve
