Overview
CVE-2025-13389 identifies a critical vulnerability in the “Admin and Customer Messages After Order for WooCommerce: OrderConvo” plugin for WordPress. This flaw allows unauthenticated attackers to access sensitive WooCommerce order details and private conversation messages between customers and store administrators without proper authorization.
Technical Details
The vulnerability stems from a missing capability check on the get_order_by_id() function within the wprest.class.php file. Specifically, all versions of the plugin up to and including version 14 are affected. This oversight enables unauthenticated users to retrieve information about any order by simply providing its ID, bypassing the intended access controls.
Affected file: includes/wprest.class.php
Vulnerable function: get_order_by_id()
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-13389 a score of 5.3 (MEDIUM). This score reflects the potential for unauthorized information disclosure. The vector string would likely include details regarding network access and the confidentiality impact. The exploit is relatively easy to achieve, as it requires no authentication.
Possible Impact
Exploitation of this vulnerability can have severe consequences for WooCommerce store owners:
- Data Breach: Attackers can access sensitive customer information, including names, addresses, email addresses, phone numbers, and order details.
- Privacy Violation: Private conversations between customers and store administrators are exposed, potentially revealing personal or confidential information.
- Reputational Damage: A data breach can severely damage the reputation of the store and erode customer trust.
- Potential Legal Liabilities: Depending on the jurisdiction, the store owner may face legal liabilities for failing to protect customer data.
Mitigation and Patch Steps
To mitigate the risk posed by CVE-2025-13389, it is crucial to update the “Admin and Customer Messages After Order for WooCommerce: OrderConvo” plugin to the latest version as soon as possible. The latest versions contain the necessary security fix to address the missing capability check.
If an update is not immediately available, consider temporarily disabling the plugin until a patched version is released. Also, review your server access logs for suspicious activity targeting order IDs.
