CVE 6.5 MEDIUM

WooCommerce – Subscriber/Customer+ Order Data Disclosure_CVE-2025-15033

December 22, 2025 invoker category_cve
6.5 / 10
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier.

Basic Information

ID CVE-2025-15033
Source WPScan
Published Dec 22, 2025 at 18:57
Modified Dec 22, 2025 at 23:56

Affected Product

Vendor Automattic
Product WoooCommerce
Version 8.1.0
Affected Versions Automattic WoooCommerce 8.1.0
Automattic WoooCommerce 8.2.0
Automattic WoooCommerce 8.3.0
Automattic WoooCommerce 8.4.0
Automattic WoooCommerce 8.5.0
Automattic WoooCommerce 8.6.0
Automattic WoooCommerce 8.7.0
Automattic WoooCommerce 8.8.0
Automattic WoooCommerce 8.9.0
Automattic WoooCommerce 9.0.0
Automattic WoooCommerce 9.1.0
Automattic WoooCommerce 9.2.0
Automattic WoooCommerce 9.3.0
Automattic WoooCommerce 9.4.0
Automattic WoooCommerce 9.5.0
Automattic WoooCommerce 9.6.0
Automattic WoooCommerce 9.7.0
Automattic WoooCommerce 9.8.0
Automattic WoooCommerce 9.9.0
Automattic WoooCommerce 10.0.0
Automattic WoooCommerce 10.1.0
Automattic WoooCommerce 10.2.0
Automattic WoooCommerce 10.3.0
Automattic WoooCommerce 10.4.0

CWE Classification

CWE-200

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.