CVE-2025-15033
WooCommerce - Subscriber/Customer+ Order Data Disclosure
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier.
| Vendor | automattic |
| Product | woocommerce |
| Published | Dec 22, 2025 |
| Last Updated | Mar 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for automattic woocommerce
Be the first to know when new medium vulnerabilities affecting automattic woocommerce are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Automattic / WooCommerce
8.1.0 < 8.1.3 8.2.0 < 8.2.4 8.3.0 < 8.3.3 8.4.0 < 8.4.2 8.5.0 < 8.5.4 8.6.0 < 8.6.3 8.7.0 < 8.7.2 8.8.0 < 8.8.6 8.9.0 < 8.9.4 9.0.0 < 9.0.3 9.1.0 < 9.1.5 9.2.0 < 9.2.4 9.3.0 < 9.3.5 9.4.0 < 9.4.4 9.5.0 < 9.5.3 9.6.0 < 9.6.3 9.7.0 < 9.7.2 9.8.0 < 9.8.6 9.9.0 < 9.9.6 10.0.0 < 10.0.5 10.1.0 < 10.1.3 10.2.0 < 10.2.3 10.3.0 < 10.3.7 10.4.0 < 10.4.3
References
Credits
Peter Stöckli WPScan