CVE-2025-15033
published 2025-12-22CVE-2025-15033: A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This…
PriorityP339medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.29%
20.7th percentile
A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| automattic | woocommerce | >= 10.0.0 < 10.0.5 | 10.0.5 |
| automattic | woocommerce | >= 10.1.0 < 10.1.3 | 10.1.3 |
| automattic | woocommerce | >= 10.2.0 < 10.2.3 | 10.2.3 |
| automattic | woocommerce | >= 10.3.0 < 10.3.7 | 10.3.7 |
| automattic | woocommerce | >= 10.4.0 < 10.4.3 | 10.4.3 |
| automattic | woocommerce | >= 8.1.0 < 8.1.3 | 8.1.3 |
| automattic | woocommerce | >= 8.2.0 < 8.2.4 | 8.2.4 |
| automattic | woocommerce | >= 8.3.0 < 8.3.3 | 8.3.3 |
| automattic | woocommerce | >= 8.4.0 < 8.4.2 | 8.4.2 |
| automattic | woocommerce | >= 8.5.0 < 8.5.4 | 8.5.4 |
| automattic | woocommerce | >= 8.6.0 < 8.6.3 | 8.6.3 |
| automattic | woocommerce | >= 8.7.0 < 8.7.2 | 8.7.2 |
| automattic | woocommerce | >= 8.8.0 < 8.8.6 | 8.8.6 |
| automattic | woocommerce | >= 8.9.0 < 8.9.4 | 8.9.4 |
| automattic | woocommerce | >= 9.0.0 < 9.0.3 | 9.0.3 |
| automattic | woocommerce | >= 9.1.0 < 9.1.5 | 9.1.5 |
| automattic | woocommerce | >= 9.2.0 < 9.2.4 | 9.2.4 |
| automattic | woocommerce | >= 9.3.0 < 9.3.5 | 9.3.5 |
| automattic | woocommerce | >= 9.4.0 < 9.4.4 | 9.4.4 |
| automattic | woocommerce | >= 9.5.0 < 9.5.3 | 9.5.3 |
| automattic | woocommerce | >= 9.6.0 < 9.6.3 | 9.6.3 |
| automattic | woocommerce | >= 9.7.0 < 9.7.2 | 9.7.2 |
| automattic | woocommerce | >= 9.8.0 < 9.8.6 | 9.8.6 |
| automattic | woocommerce | >= 9.9.0 < 9.9.6 | 9.9.6 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2025-12-22
Published