Admin And Customer Messages After Order For Woocommerce
Approved changes feed: RSS · Atom
cpe:2.3:a:nmedia:admin_and_customer_messages_after_order_for_woocommerce:_orderconvo:*:*:*:*:*:*:*:*
part: a version: _orderconvo update: *
| Vendor | Nmedia (7ec2032c-0584-5995-a117-006b70254261) |
|---|---|
| Product | Admin And Customer Messages After Order For Woocommerce (3e9ba8af-f16c-569f-809e-7d731a353619) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2025-13452 |
vulnerable | 2026-06-08 07:04:32.223871 |
Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated User Impersonation in Order Messages
MEDIUM (4.3)
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters.
Published: 2025-11-25T07:28:20.236Z
Updated: 2026-04-08T16:43:48.690Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-13389 |
vulnerable | 2026-06-08 07:04:32.114222 |
Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated Information Disclosure
MEDIUM (5.3)
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID.
Published: 2025-11-25T07:28:21.828Z
Updated: 2026-04-08T17:09:12.024Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-13355 |
vulnerable | 2026-06-08 06:25:37.361228 |
Admin and Customer Messages After Order for WooCommerce <= 13.2 - Authenticated (Subscriber+) Limited File Upload to Cross-Site Scripting
MEDIUM (5.4)
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to limited file uploads due to insufficient file type validation in the upload_file() function in all versions up to, and including, 13.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload files on the affected site's server which may make remote code execution possible and is confirmed to make Cross-Site Scripting possible.
Published: 2025-01-16T09:39:14.156Z
Updated: 2026-04-08T17:04:02.849Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.