CVE-2025-13389: CWE-639 Authorization Bypass Through User-Controlled Key in nmedia Admin and Customer Messages After Order for WooCommerce: OrderConvo
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID.
AI Analysis
Technical Summary
CVE-2025-13389 is an authorization bypass vulnerability (CWE-639) in the Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress. The issue is due to the absence of a capability check in the get_order_by_id() function across all versions up to and including 14. This allows unauthenticated attackers to retrieve sensitive WooCommerce order information and private conversations between customers and store administrators by specifying arbitrary order IDs. The vulnerability is remotely exploitable without authentication and requires no user interaction. The CVSS v3.1 base score is 5.3, reflecting a medium severity impact primarily on confidentiality.
Potential Impact
An attacker can view sensitive WooCommerce order details and private messages between customers and store administrators without authentication. This unauthorized data disclosure impacts the confidentiality of customer and order information. There is no indication of integrity or availability impact. No known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the plugin or disabling it if possible to prevent unauthorized data exposure. Monitor vendor channels for updates and apply patches promptly once available.
CVE-2025-13389: CWE-639 Authorization Bypass Through User-Controlled Key in nmedia Admin and Customer Messages After Order for WooCommerce: OrderConvo
Description
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-13389 is an authorization bypass vulnerability (CWE-639) in the Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress. The issue is due to the absence of a capability check in the get_order_by_id() function across all versions up to and including 14. This allows unauthenticated attackers to retrieve sensitive WooCommerce order information and private conversations between customers and store administrators by specifying arbitrary order IDs. The vulnerability is remotely exploitable without authentication and requires no user interaction. The CVSS v3.1 base score is 5.3, reflecting a medium severity impact primarily on confidentiality.
Potential Impact
An attacker can view sensitive WooCommerce order details and private messages between customers and store administrators without authentication. This unauthorized data disclosure impacts the confidentiality of customer and order information. There is no indication of integrity or availability impact. No known exploits have been reported in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the plugin or disabling it if possible to prevent unauthorized data exposure. Monitor vendor channels for updates and apply patches promptly once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-18T21:12:44.956Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69255e28292ce6fc00be0620
Added to database: 11/25/2025, 7:43:36 AM
Last enriched: 4/9/2026, 4:29:38 PM
Last updated: 5/10/2026, 3:36:09 AM
Views: 113
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.