The vulnerability identified as CVE-2025-12955 affects the Live sales notification for WooCommerce plugin, a WordPress extension used to display recent order notifications on e-commerce sites. The root cause is a missing authorization check (CWE-862) in the 'getOrders' function, which is responsible for retrieving recent order data. This function fails to verify whether the requester has the necessary permissions or capabilities before returning order details. Consequently, an unauthenticated attacker can remotely invoke this function and extract sensitive customer information including first names, city, state, country, purchase date and time, and product details. The vulnerability affects all plugin versions up to and including 2.3.39. The CVSS 3.1 base score is 7.5, indicating high severity, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, meaning the attack can be performed remotely without privileges or user interaction, impacting confidentiality only. No integrity or availability impact is noted. No public exploit code is currently known, but the ease of exploitation and sensitive data exposure make this a critical privacy concern. The plugin is widely used in WooCommerce-based e-commerce sites, which are prevalent in Europe. The lack of patch links suggests a fix is pending or not yet publicly available. Organizations relying on this plugin should consider immediate mitigation steps to prevent data leakage and comply with GDPR and other privacy regulations.

The primary impact of CVE-2025-12955 is the unauthorized disclosure of sensitive customer information, including personally identifiable information (PII) such as buyer names and geographic locations, as well as purchase details. For European organizations, this data exposure can lead to significant privacy violations under the General Data Protection Regulation (GDPR), potentially resulting in regulatory fines and reputational damage. The confidentiality breach could also facilitate targeted phishing or social engineering attacks against customers. Although the vulnerability does not affect data integrity or availability, the loss of customer trust and legal consequences can be severe. E-commerce businesses using WooCommerce with this vulnerable plugin risk exposing their customer base to data theft. The ease of exploitation without authentication or user interaction increases the likelihood of automated scanning and data harvesting by malicious actors. This threat is particularly critical for organizations handling large volumes of customer transactions and sensitive order information.

1. Immediate action should be to identify all WordPress installations using the Live sales notification for WooCommerce plugin and determine the version in use. 2. Monitor the plugin vendor’s official channels for the release of a security patch addressing CVE-2025-12955 and apply it promptly once available. 3. Until a patch is released, implement web application firewall (WAF) rules to block or restrict access to the vulnerable 'getOrders' API endpoint or related AJAX calls. 4. Restrict access to the plugin’s functionality by limiting it to authenticated and authorized users only, possibly by customizing the plugin code or using access control plugins. 5. Conduct a thorough audit of exposed customer data to assess potential leakage and notify affected individuals if required under GDPR. 6. Enhance monitoring and logging to detect unusual access patterns to the plugin endpoints. 7. Educate site administrators about the risks of installing plugins without proper security vetting and encourage regular updates. 8. Consider disabling or removing the plugin if it is not essential to business operations until a secure version is available.