CVE-2025-15033

Vulnerability

Overview

A vulnerability in the WooCommerce plugin for WordPress, affecting versions 8.1 through 10.4.2, allows logged-in users with customer-level privileges to access order data belonging to guest customers on sites with a specific configuration [1]. The issue is classified as a sensitive data disclosure flaw and was discovered by researcher Peter Stöckli [1].

Exploitation

Conditions

The attack requires the attacker to be a logged-in customer on the WooCommerce site. The vulnerability only manifests when the site is configured in a certain way, though the exact configuration detail is not publicly specified in the advisory [1]. No additional authentication or network position is required beyond being an authenticated customer.

Impact

A successful exploit could expose private order information of guest customers, including potentially sensitive details like names, addresses, and purchased items [1]. This leakage violates the expected separation between user accounts and guest orders, undermining customer trust and potentially violating data protection regulations.

Mitigation

The vulnerability has been fully addressed by WooCommerce. Patched versions have been released across all affected minor branches, starting from 8.1.3 up to 10.4.3 [1]. Users running any affected version should update immediately to the corresponding fixed release. No workarounds have been published.