CVE-2025-13452 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress. The vulnerability exists in all versions up to and including version 14 due to a flawed permission check in the REST API permission callback. Specifically, the callback erroneously returns true when no nonce is provided, effectively bypassing the intended authorization mechanism. This flaw enables unauthenticated attackers to impersonate any WordPress user by directly invoking the REST endpoint with controlled parameters such as user_id, order_id, and context. Consequently, attackers can inject arbitrary messages into any WooCommerce order conversation, potentially misleading customers or administrators. The vulnerability impacts message integrity but does not compromise confidentiality or availability. The CVSS v3.1 base score is 4.3 (medium), reflecting the network attack vector, low attack complexity, requirement for some privileges (PR:L), no user interaction, and limited impact on integrity only. No patches or known exploits are currently available, but the vulnerability poses a risk to the trustworthiness of order communications in WooCommerce environments using this plugin.

For European organizations, this vulnerability can undermine the integrity of order-related communications within WooCommerce, a widely used e-commerce platform. Attackers could inject misleading or fraudulent messages into order conversations, potentially causing confusion, fraud, or reputational damage. While the vulnerability does not directly expose sensitive data or disrupt service availability, the manipulation of order messages could facilitate social engineering attacks, customer dissatisfaction, or operational errors. E-commerce businesses relying on WooCommerce and this plugin may face increased risk of customer trust erosion and potential financial losses due to misinformation or fraudulent order communications. The impact is particularly relevant for organizations with high volumes of online transactions and customer interactions through WooCommerce order messaging.

Since no official patch is currently available, European organizations should implement immediate compensating controls. These include restricting access to the vulnerable REST API endpoints by enforcing strict authentication and authorization checks at the web server or application firewall level. Administrators should verify nonce validation is properly enforced and consider disabling or limiting the use of the affected plugin until a patch is released. Monitoring REST API logs for unusual or unauthorized requests targeting order conversations can help detect exploitation attempts. Additionally, organizations should educate staff and customers to be vigilant for suspicious messages in order conversations. Once a vendor patch is released, prompt application of updates is critical. Reviewing and tightening WordPress user role permissions and REST API exposure can further reduce attack surface.