CVE-2025-15033

Exploit

EPSS 0.03%
Veröffentlicht 22.12.2025 18:57:39
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle contact@wpscan.com
CVE-Watchlists
Login
Unerledigt
Login

WooCommerce - Subscriber/Customer+ Order Data Disclosure

WooCommerce <= 10.4.2 - Authenticated (Subscriber+) Information Exposure

A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier.

Mögliche Gegenmaßnahme

WooCommerce: Update to one of the following versions, or a newer patched version: 10.0.5, 10.1.3, 10.2.3, 10.3.7, 8.1.3, 8.2.4, 8.3.3, 8.4.2, 8.5.4, 8.6.3, 8.7.2, 8.8.6, 8.9.4, 9.0.3, 9.1.5, 9.2.4, 9.3.5, 9.4.4, 9.5.3, 9.6.3, 9.7.2, 9.8.6, 9.9.6

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

CNA 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerAutomattic

≫

Produkt WooCommerce

Default Statusunaffected

Version 8.1.0

Version < 8.1.3

Status affected

Version 8.2.0

Version < 8.2.4

Status affected

Version 8.3.0

Version < 8.3.3

Status affected

Version 8.4.0

Version < 8.4.2

Status affected

Version 8.5.0

Version < 8.5.4

Status affected

Version 8.6.0

Version < 8.6.3

Status affected

Version 8.7.0

Version < 8.7.2

Status affected

Version 8.8.0

Version < 8.8.6

Status affected

Version 8.9.0

Version < 8.9.4

Status affected

Version 9.0.0

Version < 9.0.3

Status affected

Version 9.1.0

Version < 9.1.5

Status affected

Version 9.2.0

Version < 9.2.4

Status affected

Version 9.3.0

Version < 9.3.5

Status affected

Version 9.4.0

Version < 9.4.4

Status affected

Version 9.5.0

Version < 9.5.3

Status affected

Version 9.6.0

Version < 9.6.3

Status affected

Version 9.7.0

Version < 9.7.2

Status affected

Version 9.8.0

Version < 9.8.6

Status affected

Version 9.9.0

Version < 9.9.6

Status affected

Version 10.0.0

Version < 10.0.5

Status affected

Version 10.1.0

Version < 10.1.3

Status affected

Version 10.2.0

Version < 10.2.3

Status affected

Version 10.3.0

Version < 10.3.7

Status affected

Version 10.4.0

Version < 10.4.3

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt WooCommerce

Version 10.0-10.0.4

Version 10.1-10.1.2

Version 10.2-10.2.2

Version 10.3-10.3.6

Version 8.1-8.1.2

Version 8.2-8.2.3

Version 8.3-8.3.2

Version 8.4-8.4.1

Version 8.5-8.5.3

Version 8.6-8.6.2

Version 8.7-8.7.1

Version 8.8-8.8.5

Version 8.9-8.9.3

Version 9.0-9.0.2

Version 9.1-9.1.4

Version 9.2-9.2.3

Version 9.3-9.3.4

Version 9.4-9.4.3

Version 9.5-9.5.2

Version 9.6-9.6.2

Version 9.7-9.7.1

Version 9.8-9.8.5

Version 9.9-9.9.5

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.09

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://wpscan.com/vulnerability/f55fd7d3-7fbe-474f-9406-f47f8aee5e57/

https://www.wordfence.com/threat-intel/vulnerabilities/id/137327c8-01cb-4074-9424-89d826a9586e

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-15033

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-15033

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-15033

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-15033