CVE-2025-12075 is a vulnerability identified in the Order Splitter for WooCommerce plugin for WordPress, specifically due to a missing authorization (CWE-862) on the 'wos_troubleshooting' AJAX endpoint. This endpoint fails to verify if the authenticated user has the appropriate capabilities before allowing access to order-related data. As a result, any authenticated user with at least Subscriber-level privileges can exploit this flaw to access order information belonging to other users. The vulnerability affects all plugin versions up to and including 5.3.5. The CVSS v3.1 base score is 4.3 (medium), reflecting the low attack complexity and remote exploitability without user interaction, but limited impact confined to confidentiality. The flaw does not allow modification or deletion of data (integrity and availability unaffected). No patches have been linked yet, and no active exploitation has been reported. The vulnerability arises from improper access control in AJAX handlers, a common issue in WordPress plugins that can lead to data leakage. Attackers do not need elevated privileges beyond Subscriber, which is often granted to registered users, increasing the attack surface. This vulnerability is particularly relevant for e-commerce sites relying on WooCommerce and this plugin to manage order splitting functionality.

For European organizations, the primary impact is unauthorized disclosure of customer order information, which can include sensitive personal and transactional data. This breach of confidentiality can lead to privacy violations under GDPR, potentially resulting in regulatory fines and reputational damage. Although the vulnerability does not allow data modification or service disruption, the exposure of order details can facilitate further attacks such as social engineering, fraud, or identity theft. E-commerce businesses using WooCommerce with the vulnerable plugin are at risk, especially those with large user bases or handling sensitive customer data. The medium severity score reflects the moderate risk; however, the widespread use of WooCommerce in Europe amplifies the potential scope. Organizations may also face customer trust erosion and legal consequences if data exposure is exploited. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often target such vulnerabilities once disclosed.

Organizations should immediately audit their WordPress installations to identify the use of the Order Splitter for WooCommerce plugin and its version. Until an official patch is released, administrators should restrict Subscriber-level user capabilities to the minimum necessary and consider disabling or restricting access to the 'wos_troubleshooting' AJAX endpoint via custom code or security plugins that enforce capability checks. Monitoring logs for unusual access patterns to AJAX endpoints can help detect exploitation attempts. Applying the official patch promptly once available is critical. Additionally, implementing a Web Application Firewall (WAF) with rules to block unauthorized AJAX requests can provide a protective layer. Regularly reviewing user roles and permissions to ensure least privilege principles are enforced will reduce the attack surface. Finally, informing customers and preparing incident response plans for potential data exposure scenarios will help manage post-incident impacts.