CVE-2025-1284 is a security vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Woocommerce Automatic Order Printing plugin for WordPress, previously known as WooCommerce Google Cloud Print. The vulnerability arises from an insecure direct object reference (IDOR) flaw in the plugin's AJAX handler named xc_woo_printer_preview. Specifically, the plugin fails to properly validate a user-supplied key parameter that controls access to order and invoice previews. As a result, any authenticated user with at least Subscriber-level privileges can manipulate this key to access invoices and order details belonging to other users. These documents often contain sensitive personal and transactional information, such as customer names, addresses, order contents, and possibly payment details. The vulnerability affects all versions up to and including 4.1 of the plugin. The flaw does not allow attackers to modify or delete data, nor does it affect system availability. Exploitation requires authentication but no additional user interaction, making it relatively easy for low-privileged users to exploit once logged in. The CVSS v3.1 base score is 4.3, indicating medium severity primarily due to confidentiality impact. No public exploits or active exploitation campaigns have been reported to date. The vulnerability was reserved in February 2025 and published in April 2025. Given the widespread use of WooCommerce and its plugins in e-commerce websites globally, this vulnerability poses a risk to customer privacy and data protection compliance.

The primary impact of CVE-2025-1284 is unauthorized disclosure of sensitive customer information, including invoices and order details, which can contain personally identifiable information (PII) and transactional data. This exposure can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), and reputational damage for affected organizations. Although the vulnerability does not allow data modification or service disruption, the leakage of sensitive data can facilitate further attacks such as phishing, social engineering, or identity theft. Organizations running WooCommerce stores with this plugin are at risk of exposing their customers' confidential information to any authenticated user, including low-privileged subscribers or customers. This risk is particularly significant for businesses handling large volumes of orders or sensitive customer data. The medium CVSS score reflects the limited scope of impact to confidentiality only, with no integrity or availability consequences. However, the ease of exploitation by authenticated users increases the likelihood of abuse in compromised or insider threat scenarios.

To mitigate CVE-2025-1284, organizations should immediately update the Woocommerce Automatic Order Printing plugin to a patched version once released by the vendor. Until a patch is available, administrators should restrict plugin usage to trusted users only and consider disabling the plugin if feasible. Implementing strict access controls and monitoring user activities related to order and invoice access can help detect unauthorized attempts. Additionally, review and harden the AJAX endpoint permissions by applying custom code or security plugins that validate user authorization before serving sensitive data. Employing web application firewalls (WAFs) with rules targeting suspicious parameter manipulation may reduce exploitation risk. Regularly audit user roles and permissions to ensure minimal privilege principles are enforced. Finally, inform customers about potential data exposure and prepare incident response plans to address any data privacy concerns.