The Live sales notification for WooCommerce plugin, developed by rajeshsingh520, suffers from a Missing Authorization vulnerability (CWE-862) identified as CVE-2025-12955. This vulnerability exists in all versions up to and including 2.3.39. The root cause is the lack of proper authorization and capability checks in the getOrders function, which is responsible for retrieving recent order information to display live sales notifications. Because of this missing authorization, unauthenticated attackers can invoke this function remotely without any credentials or user interaction. This allows them to extract sensitive customer information including buyer first names, city, state, country, purchase date and time, and product details. The vulnerability affects the confidentiality of customer data but does not impact data integrity or availability. The CVSS v3.1 base score is 7.5, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, and high confidentiality impact. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date (November 18, 2025). The plugin is widely used in WooCommerce-based WordPress e-commerce sites, making the vulnerability relevant to many online retailers globally.

The primary impact of CVE-2025-12955 is the unauthorized disclosure of sensitive customer information, which can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), and reputational damage for affected organizations. Attackers can harvest personally identifiable information (PII) such as buyer names and geographic locations, as well as purchase behavior and product preferences, which could be leveraged for targeted phishing, fraud, or competitive intelligence. Although the vulnerability does not allow modification or deletion of data, the exposure of confidential customer data alone is significant for e-commerce businesses. Organizations may face legal liabilities and loss of customer trust if exploited. Given the ease of exploitation (no authentication or user interaction required), the vulnerability is particularly dangerous for publicly accessible WooCommerce sites using the affected plugin versions.

1. Immediate mitigation involves updating the Live sales notification for WooCommerce plugin to a fixed version once released by the vendor. Monitor vendor communications for patch announcements. 2. If no patch is available, disable or uninstall the plugin to eliminate the attack surface. 3. Implement web application firewall (WAF) rules to restrict access to the getOrders endpoint or related AJAX calls, allowing only authorized users or IP ranges. 4. Conduct a thorough audit of customer data access logs to detect any suspicious activity related to this vulnerability. 5. Limit the exposure of sensitive order information in live sales notifications or configure the plugin to display only non-sensitive data. 6. Employ principle of least privilege on WordPress roles and capabilities to reduce potential impact. 7. Educate site administrators about the risk and encourage regular plugin updates and security monitoring. 8. Consider additional network segmentation or access controls for backend systems hosting WooCommerce sites.