CVE-2025-13452

MEDIUM 4.3

Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated User Impersonation in Order Messages

CVSS Score

4.3

EPSS Score

0.0%

EPSS Percentile

0th

The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters.

CWE	CWE-639
Vendor	nmedia
Product	admin and customer messages after order for woocommerce: orderconvo
Published	Nov 25, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for nmedia admin and customer messages after order for woocommerce: orderconvo

Be the first to know when new medium vulnerabilities affecting nmedia admin and customer messages after order for woocommerce: orderconvo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

nmedia / Admin and Customer Messages After Order for WooCommerce: OrderConvo

0 ≤ 14

References

NVD ↗ CVE.org ↗ EPSS Data ↗

Credits

Md. Moniruzzaman Prodhan