CVE-2025-12955
Live sales notification for WooCommerce <= 2.3.39 - Missing Authorization to Unauthenticated Customer Data Exposure
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
The Live sales notification for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.39. This is due to the "getOrders" function lacking proper authorization and capability checks when the plugin is configured to display recent order information. This makes it possible for unauthenticated attackers to extract sensitive customer information including buyer first names, city, state, country, purchase time and date, and product details.
| CWE | CWE-862 |
| Vendor | rajeshsingh520 |
| Product | piweb live sales notification for woocommerce |
| Published | Nov 18, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for rajeshsingh520 piweb live sales notification for woocommerce
Be the first to know when new high vulnerabilities affecting rajeshsingh520 piweb live sales notification for woocommerce are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
rajeshsingh520 / PiWeb Live sales notification for WooCommerce
0 โค 2.3.39
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/1cebcf16-ae7f-45c4-8e1d-80ede4c32106?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394241%40live-sales-notifications-for-woocommerce&old=3389540%40live-sales-notifications-for-woocommerce&sfp_email=&sfph_mail=
Credits
Athiwat Tiprasaharn