cbcvebase.
CVE-2025-15033
published 2025-12-22

CVE-2025-15033: A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This…

PriorityP339medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.29%
20.7th percentile
A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier.

Affected

24 ranges
VendorProductVersion rangeFixed in
automatticwoocommerce>= 10.0.0 < 10.0.510.0.5
automatticwoocommerce>= 10.1.0 < 10.1.310.1.3
automatticwoocommerce>= 10.2.0 < 10.2.310.2.3
automatticwoocommerce>= 10.3.0 < 10.3.710.3.7
automatticwoocommerce>= 10.4.0 < 10.4.310.4.3
automatticwoocommerce>= 8.1.0 < 8.1.38.1.3
automatticwoocommerce>= 8.2.0 < 8.2.48.2.4
automatticwoocommerce>= 8.3.0 < 8.3.38.3.3
automatticwoocommerce>= 8.4.0 < 8.4.28.4.2
automatticwoocommerce>= 8.5.0 < 8.5.48.5.4
automatticwoocommerce>= 8.6.0 < 8.6.38.6.3
automatticwoocommerce>= 8.7.0 < 8.7.28.7.2
automatticwoocommerce>= 8.8.0 < 8.8.68.8.6
automatticwoocommerce>= 8.9.0 < 8.9.48.9.4
automatticwoocommerce>= 9.0.0 < 9.0.39.0.3
automatticwoocommerce>= 9.1.0 < 9.1.59.1.5
automatticwoocommerce>= 9.2.0 < 9.2.49.2.4
automatticwoocommerce>= 9.3.0 < 9.3.59.3.5
automatticwoocommerce>= 9.4.0 < 9.4.49.4.4
automatticwoocommerce>= 9.5.0 < 9.5.39.5.3
automatticwoocommerce>= 9.6.0 < 9.6.39.6.3
automatticwoocommerce>= 9.7.0 < 9.7.29.7.2
automatticwoocommerce>= 9.8.0 < 9.8.69.8.6
automatticwoocommerce>= 9.9.0 < 9.9.69.9.6
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.