CVE-2025-1284 is a security vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the WordPress plugin 'Woocommerce Automatic Order Printing' (formerly known as WooCommerce Google Cloud Print) developed by xpertsclub. The vulnerability exists in all versions up to and including version 4.1 of the plugin. The root cause is an Insecure Direct Object Reference (IDOR) flaw in the AJAX action 'xc_woo_printer_preview', where the plugin fails to properly validate a user-controlled key parameter. This improper validation allows authenticated users with Subscriber-level privileges or higher to bypass authorization controls and access invoices and orders belonging to other users. These orders and invoices may contain sensitive information such as customer names, addresses, payment details, and order histories. Exploitation requires the attacker to be authenticated on the WordPress site but does not require elevated privileges beyond Subscriber. No user interaction beyond authentication is needed. Although no known exploits are currently reported in the wild, the vulnerability poses a significant privacy risk and could be leveraged for targeted information disclosure attacks. The lack of a patch at the time of reporting increases the urgency for mitigation. The vulnerability impacts the confidentiality of customer data and the integrity of access controls within the affected plugin, potentially undermining trust in e-commerce operations relying on this plugin for order printing and management.

For European organizations using the Woocommerce Automatic Order Printing plugin, this vulnerability can lead to unauthorized disclosure of sensitive customer and order information. This breach of confidentiality may result in violations of the EU General Data Protection Regulation (GDPR), leading to legal penalties and reputational damage. Retailers and e-commerce businesses that rely on WooCommerce for order processing and printing are particularly at risk. Attackers with Subscriber-level access—often easily obtainable through phishing or weak credential policies—can exploit this flaw to harvest personal data, potentially facilitating further attacks such as identity theft, fraud, or targeted phishing campaigns. The exposure of order details can also compromise business-sensitive information such as purchasing patterns and customer preferences. While the vulnerability does not directly affect system availability or data integrity, the erosion of access controls undermines the security posture of affected organizations. Given the widespread use of WooCommerce in Europe, especially among small and medium-sized enterprises (SMEs), the impact could be significant if exploited at scale.

Immediate mitigation steps include restricting Subscriber-level access to trusted users only and reviewing user roles to minimize unnecessary privileges. Organizations should implement strict authentication controls, including multi-factor authentication (MFA), to reduce the risk of compromised accounts. Monitoring and logging access to order and invoice data can help detect suspicious activity related to this vulnerability. Since no official patch is available yet, administrators should consider temporarily disabling or uninstalling the affected plugin if feasible. Alternatively, custom code or web application firewall (WAF) rules can be deployed to validate and sanitize the 'xc_woo_printer_preview' AJAX requests, ensuring that users can only access their own data. Regularly updating WordPress and all plugins once a patch is released is critical. Additionally, organizations should conduct security awareness training to reduce the risk of credential compromise and perform periodic audits of user permissions and plugin configurations.