Approved changes feed: RSS · Atom

cpe:2.3:a:nmedia:admin_and_customer_messages_after_order_for_woocommerce:_orderconvo:*:*:*:*:*:*:*:*

part: a version: _orderconvo update: *

VendorNmedia (7ec2032c-0584-5995-a117-006b70254261)
ProductAdmin And Customer Messages After Order For Woocommerce (3e9ba8af-f16c-569f-809e-7d731a353619)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2025-13452 vulnerable 2026-06-08 07:04:32.223871 Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated User Impersonation in Order Messages
MEDIUM (4.3)
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters.
Published: 2025-11-25T07:28:20.236Z
Updated: 2026-04-08T16:43:48.690Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-13389 vulnerable 2026-06-08 07:04:32.114222 Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated Information Disclosure
MEDIUM (5.3)
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID.
Published: 2025-11-25T07:28:21.828Z
Updated: 2026-04-08T17:09:12.024Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-13355 vulnerable 2026-06-08 06:25:37.361228 Admin and Customer Messages After Order for WooCommerce <= 13.2 - Authenticated (Subscriber+) Limited File Upload to Cross-Site Scripting
MEDIUM (5.4)
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to limited file uploads due to insufficient file type validation in the upload_file() function in all versions up to, and including, 13.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload files on the affected site's server which may make remote code execution possible and is confirmed to make Cross-Site Scripting possible.
Published: 2025-01-16T09:39:14.156Z
Updated: 2026-04-08T17:04:02.849Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.