CVE-2025-15033 is a medium severity authorization bypass vulnerability identified in Automattic's WooCommerce plugin for WordPress, affecting versions 8.1.0 through 10.4.0. The root cause is linked to CWE-639 (Authorization Bypass Through User-Controlled Key), where the system improperly validates or restricts access to order data based on user-supplied keys. Specifically, logged-in customers can exploit this flaw to access order details of guest customers, which should normally be inaccessible to them. This vulnerability arises due to insufficient authorization checks on order data retrieval endpoints or API calls, allowing unauthorized data disclosure (CWE-200). The flaw does not impact integrity or availability, and exploitation requires the attacker to be authenticated as a customer but does not require any special privileges or user interaction. WooCommerce versions prior to 8.1.0 are not affected. The issue was addressed in WooCommerce 8.1.3 and subsequent point releases, culminating in version 10.4.3. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and high confidentiality impact. No public exploits have been reported yet, but the vulnerability poses a risk of unauthorized exposure of sensitive order information, including potentially personal and payment-related data of guest customers. The vulnerability is particularly relevant for WooCommerce sites configured to allow guest checkouts and where order data is accessible via user-controllable keys.

The primary impact of CVE-2025-15033 is unauthorized disclosure of sensitive order information belonging to guest customers on WooCommerce-powered e-commerce sites. This can lead to privacy violations, potential exposure of personal identifiable information (PII), and possibly payment or shipping details. Such data leakage can damage customer trust, lead to regulatory non-compliance (e.g., GDPR, CCPA), and result in reputational harm and financial penalties. Since the vulnerability requires only low-level authenticated access (a logged-in customer), attackers can exploit it without elevated privileges, increasing the risk surface. However, the vulnerability does not allow modification or deletion of data, nor does it impact system availability. Organizations running affected WooCommerce versions with guest checkout enabled and certain configurations are at risk. The scope includes potentially millions of WooCommerce sites globally, especially those that have not applied the patches released since version 8.1.3. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits given the public disclosure.

1. Immediately update WooCommerce to version 10.4.3 or later, or at minimum to the earliest patched version 8.1.3 if running an affected version between 8.1.0 and 10.4.0. 2. Review and harden site configurations related to guest checkout and order data access controls to ensure strict authorization enforcement. 3. Implement additional access control layers such as Web Application Firewalls (WAF) with custom rules to detect and block anomalous requests attempting to access order data via user-controlled keys. 4. Conduct thorough audits and penetration testing focused on authorization logic around order data retrieval endpoints. 5. Monitor logs for unusual access patterns by authenticated customers querying order data not belonging to them. 6. Educate development and operations teams about the importance of secure authorization checks when handling user-supplied keys or parameters. 7. If immediate patching is not feasible, consider temporarily disabling guest checkout or restricting access to order data APIs until patched. 8. Regularly review WooCommerce and WordPress security advisories to stay informed about new vulnerabilities and patches.