The vulnerability identified as CVE-2025-13389 affects the nmedia Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress. This plugin facilitates communication between store administrators and customers after an order is placed. The root cause is a missing authorization check in the get_order_by_id() function, which is responsible for retrieving order details and associated messages. Because the function does not verify whether the requester has the appropriate permissions to access the requested order, an unauthenticated attacker can supply arbitrary order IDs to retrieve sensitive information. This includes private conversation messages and order details that should only be accessible to the customer and authorized store personnel. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and affects all plugin versions up to 14. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based, requires no privileges or user interaction, and impacts confidentiality but not integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability poses a significant privacy risk, especially for e-commerce sites handling sensitive customer data.

The primary impact of this vulnerability is unauthorized disclosure of sensitive customer and order information, including private messages exchanged between customers and store administrators. This can lead to privacy violations, loss of customer trust, and potential regulatory non-compliance, especially under data protection laws such as GDPR or CCPA. Attackers could harvest personal data, order histories, and communication details, which could be leveraged for identity theft, social engineering, or targeted phishing attacks. Although the vulnerability does not affect data integrity or availability, the exposure of confidential information alone can cause reputational damage and financial losses for affected organizations. E-commerce businesses relying on WooCommerce with this plugin installed are particularly at risk. The ease of exploitation (no authentication or user interaction required) increases the likelihood of automated scanning and data harvesting attempts if the vulnerability is not remediated promptly.

To mitigate this vulnerability, organizations should immediately verify if they are using the affected plugin and version. Since no official patch links are provided, the following steps are recommended: 1) Temporarily disable the Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin until a security update is released. 2) Implement web application firewall (WAF) rules to block requests attempting to access order details with arbitrary order IDs, especially those coming from unauthenticated sources. 3) Restrict access to the plugin’s endpoints by IP whitelisting or requiring authentication at the web server level. 4) Monitor web server logs for suspicious requests targeting order retrieval functions. 5) Follow the vendor’s announcements closely and apply official patches as soon as they become available. 6) Consider alternative plugins with proper authorization controls if immediate patching is not feasible. 7) Educate administrators on the risks of exposing sensitive order data and enforce least privilege principles for plugin access.