CVE-2025-15033

Exploit

EPSS 0.02%
Veröffentlicht 22.12.2025 18:57:39
Zuletzt bearbeitet 23.12.2025 14:51:52
Quelle contact@wpscan.com
CVE-Watchlists
Login
Unerledigt
Login

WooCommerce <= 10.4.2 - Authenticated (Subscriber+) Information Exposure

A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier.

Mögliche Gegenmaßnahme

WooCommerce: Update to one of the following versions, or a newer patched version: 10.0.5, 10.1.3, 10.2.3, 10.3.7, 8.1.3, 8.2.4, 8.3.3, 8.4.2, 8.5.4, 8.6.3, 8.7.2, 8.8.6, 8.9.4, 9.0.3, 9.1.5, 9.2.4, 9.3.5, 9.4.4, 9.5.3, 9.6.3, 9.7.2, 9.8.6, 9.9.6

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt WooCommerce

Version 10.0-10.0.4

Version 10.1-10.1.2

Version 10.2-10.2.2

Version 10.3-10.3.6

Version 8.1-8.1.2

Version 8.2-8.2.3

Version 8.3-8.3.2

Version 8.4-8.4.1

Version 8.5-8.5.3

Version 8.6-8.6.2

Version 8.7-8.7.1

Version 8.8-8.8.5

Version 8.9-8.9.3

Version 9.0-9.0.2

Version 9.1-9.1.4

Version 9.2-9.2.3

Version 9.3-9.3.4

Version 9.4-9.4.3

Version 9.5-9.5.2

Version 9.6-9.6.2

Version 9.7-9.7.1

Version 9.8-9.8.5

Version 9.9-9.9.5

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerAutomattic

≫

Produkt WoooCommerce

Default Statusunaffected

Version < 8.1.3

Version 8.1.0

Status affected

Version < 8.2.4

Version 8.2.0

Status affected

Version < 8.3.3

Version 8.3.0

Status affected

Version < 8.4.2

Version 8.4.0

Status affected

Version < 8.5.4

Version 8.5.0

Status affected

Version < 8.6.3

Version 8.6.0

Status affected

Version < 8.7.2

Version 8.7.0

Status affected

Version < 8.8.6

Version 8.8.0

Status affected

Version < 8.9.4

Version 8.9.0

Status affected

Version < 9.0.3

Version 9.0.0

Status affected

Version < 9.1.5

Version 9.1.0

Status affected

Version < 9.2.4

Version 9.2.0

Status affected

Version < 9.3.5

Version 9.3.0

Status affected

Version < 9.4.4

Version 9.4.0

Status affected

Version < 9.5.3

Version 9.5.0

Status affected

Version < 9.6.3

Version 9.6.0

Status affected

Version < 9.7.2

Version 9.7.0

Status affected

Version < 9.8.6

Version 9.8.0

Status affected

Version < 9.9.6

Version 9.9.0

Status affected

Version < 10.0.5

Version 10.0.0

Status affected

Version < 10.1.3

Version 10.1.0

Status affected

Version < 10.2.3

Version 10.2.0

Status affected

Version < 10.3.7

Version 10.3.0

Status affected

Version < 10.4.3

Version 10.4.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.052

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://wpscan.com/vulnerability/f55fd7d3-7fbe-474f-9406-f47f8aee5e57/

https://www.wordfence.com/threat-intel/vulnerabilities/id/137327c8-01cb-4074-9424-89d826a9586e

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-15033

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-15033

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-15033

EUVD