CVE-2025-15033Sensitive Information Exposure in Woocommerce

CWE-200Sensitive Information ExposureCWE-639Authorization Bypass Through User-Controlled Key4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.0%
top 92.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Automattic Woocommerce
Timeline
PublishedDec 22

Description

A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

CVEListV5automattic/woocommerce8.1.08.1.3+23

🔴Vulnerability Details

2
GHSA
GHSA-q45j-x3cj-gjvq: A vulnerability in WooCommerce 82025-12-22
CVEList
WooCommerce - Subscriber/Customer+ Order Data Disclosure2025-12-22

🕵️Threat Intelligence

1
Wiz
CVE-2025-15033 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-15033 — Sensitive Information Exposure | cvebase