๐Ÿ” CVE Alert

CVE-2025-13389

MEDIUM 5.3

Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated Information Disclosure

CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th

The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID.

CWE CWE-639
Vendor nmedia
Product admin and customer messages after order for woocommerce: orderconvo
Published Nov 25, 2025
Last Updated Apr 8, 2026
Stay Ahead of the Next One

Get instant alerts for nmedia admin and customer messages after order for woocommerce: orderconvo

Be the first to know when new medium vulnerabilities affecting nmedia admin and customer messages after order for woocommerce: orderconvo are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

nmedia / Admin and Customer Messages After Order for WooCommerce: OrderConvo
0 โ‰ค 14

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/9149d2c6-b6c7-430d-8886-c8c5de483220?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/tags/14/includes/wprest.class.php#L142 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/admin-and-client-message-after-order-for-woocommerce/trunk/includes/wprest.class.php#L142 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3439999/

Credits

Md. Moniruzzaman Prodhan