CVE-2025-64382 identifies a missing authorization vulnerability in the WebToffee Order Export & Order Import plugin for WooCommerce, specifically affecting versions up to 2.6.7. The vulnerability stems from incorrectly configured access control mechanisms that fail to properly verify user permissions before allowing access to order export and import features. This flaw enables users with limited privileges (requiring at least some level of authentication) to export or import order data without proper authorization, potentially exposing sensitive customer order information. The vulnerability does not require user interaction and can be exploited remotely over the network. According to the CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), the attack complexity is low, and the impact is limited to confidentiality, with no impact on integrity or availability. No public exploits have been reported yet, but the risk remains significant for organizations relying on this plugin for order management in WooCommerce environments. The plugin is widely used in e-commerce setups, making this a relevant threat for online retailers. The vulnerability was published on November 13, 2025, and no patch links are currently available, indicating that users should monitor vendor updates closely.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of order data, which may include customer names, addresses, purchase details, and potentially payment-related information depending on the data stored. Such exposure can lead to privacy violations under GDPR, reputational damage, and potential financial losses due to fraud or phishing attacks leveraging leaked data. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach alone is significant for businesses handling sensitive customer information. E-commerce businesses in Europe, especially SMEs using WooCommerce with the affected plugin, are at risk. The medium severity rating reflects the limited scope of impact but acknowledges the ease of exploitation and the sensitivity of the data involved. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, particularly as attackers often target e-commerce platforms.

1. Monitor WebToffee’s official channels and Patchstack for security updates and apply patches immediately once available. 2. Restrict access to the Order Export & Import plugin functionalities strictly to trusted administrative roles; review and tighten user permissions in WooCommerce. 3. Implement network-level access controls such as IP whitelisting or VPN requirements for accessing the WooCommerce admin interface. 4. Conduct regular audits of user roles and permissions to ensure no unauthorized users have elevated privileges. 5. Enable logging and monitoring of export/import activities to detect anomalous behavior promptly. 6. Consider temporarily disabling the plugin if patching is delayed and if business processes allow. 7. Educate staff about the risks of unauthorized data access and enforce strong authentication mechanisms for admin accounts.