The vulnerability identified as CVE-2025-5816 affects the Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship, a WordPress plugin used for managing shipping options in WooCommerce stores. The root cause is a missing authorization check (CWE-862) in the get_order_detail() function, which handles requests to retrieve order information. Specifically, the plugin fails to validate that the authenticated user is authorized to access the requested order data, allowing an attacker with Subscriber-level privileges or higher to supply a manipulated key parameter and retrieve details of other users' orders. This constitutes an Insecure Direct Object Reference (IDOR) vulnerability. The flaw exists in all versions up to and including 3.2.0. The vulnerability is remotely exploitable over the network without requiring user interaction beyond authentication. The CVSS v3.1 base score is 4.3, indicating medium severity, with the vector reflecting network attack vector, low attack complexity, privileges required at the low level, no user interaction, unchanged scope, and limited confidentiality impact. No known public exploits or active exploitation have been reported to date. The vulnerability primarily compromises confidentiality by exposing order details, which may include personal and transactional information, but does not affect integrity or availability of the system. The plugin is widely used in WooCommerce stores that rely on Biteship for shipping logistics, making this a relevant concern for e-commerce sites using this plugin.

The primary impact of CVE-2025-5816 is unauthorized disclosure of sensitive order information, including customer details, shipping addresses, and order contents. This breach of confidentiality can lead to privacy violations, customer trust erosion, and potential regulatory compliance issues such as GDPR or other data protection laws. While the vulnerability does not allow modification or deletion of data, the exposure of order information can facilitate targeted phishing, social engineering, or fraud attempts against customers. For organizations, this can result in reputational damage, loss of customer confidence, and potential financial penalties. Since the vulnerability requires only Subscriber-level access, which is a common baseline role in WordPress sites, the attack surface is broad within compromised or malicious user accounts. The lack of user interaction and remote exploitability increases the risk of automated or opportunistic attacks. Given WooCommerce's global popularity and the plugin's role in shipping management, many e-commerce businesses worldwide could be affected, especially those that have not updated or patched the plugin promptly.

To mitigate CVE-2025-5816, organizations should immediately update the Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship to a version that includes proper authorization checks once available. In the absence of an official patch, administrators should restrict Subscriber-level users from accessing order detail endpoints or disable the plugin temporarily if feasible. Implementing Web Application Firewall (WAF) rules to detect and block suspicious requests targeting order detail parameters can reduce exploitation risk. Conduct thorough audits of user roles and permissions to ensure that only trusted users have Subscriber or higher access. Monitoring logs for unusual access patterns to order details can help detect attempted exploitation. Additionally, consider applying principle of least privilege by limiting plugin usage to trusted administrators or shop managers. Communicating with customers about potential data exposure and reinforcing security awareness can also mitigate downstream risks. Finally, maintain regular backups and incident response plans to address any potential data breaches resulting from exploitation.