Overview
CVE-2025-13452 details a medium severity vulnerability found in the “Admin and Customer Messages After Order for WooCommerce: OrderConvo” plugin for WordPress. Specifically, all versions up to and including version 14 are affected. This vulnerability allows unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation. This is achieved by exploiting a missing authorization check in the plugin’s REST API.
Technical Details
The vulnerability stems from a flawed permission check within the REST API permission callback function. This function incorrectly returns `true` when no nonce is provided. As a result, an attacker can bypass authentication by directly calling the REST endpoint with crafted `user_id`, `order_id`, and `context` parameters. This allows them to insert malicious or misleading messages into existing order conversations, potentially leading to social engineering attacks, information theft, or other harmful outcomes.
Relevant code snippets (pre version 15) can be found on the WordPress plugin repository:
CVSS Analysis
- CVSS Score: 4.3 (Medium)
While the CVSS score is medium, the potential impact of this vulnerability should not be underestimated. The score reflects the low complexity and the lack of required privileges, but the potential for social engineering makes this a serious issue for stores using this plugin.
Possible Impact
Successful exploitation of this vulnerability can lead to:
- Reputation Damage: Attackers could inject messages that damage the store’s reputation.
- Social Engineering: Attackers could impersonate store administrators or customers to trick individuals into revealing sensitive information.
- Financial Loss: Manipulation of order conversations could lead to fraudulent transactions or unauthorized refunds.
- Data Breaches: Depending on the content injected, attackers might be able to gather Personally Identifiable Information (PII).
Mitigation or Patch Steps
The primary mitigation step is to update the “Admin and Customer Messages After Order for WooCommerce: OrderConvo” plugin to the latest version (version 15 or later). This update includes a fix for the flawed permission check in the REST API.
If updating is not immediately possible, consider temporarily disabling the plugin until the update can be applied. Reviewing existing order conversations for suspicious messages is also recommended.
