CVE-2026-9612: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in yapacdev WhatsOrder – Instant Checkout for WooCommerce
The WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the yapacdev_generate_order_pdf. This makes it possible for unauthenticated attackers to extract sensitive customer PII and order details — including full name, email address, phone number, billing address, ordered items with quantities and prices, applied coupons, shipping method, and order total — from any customer's invoice by enumerating sequential order IDs. Invoice HTML files are written to the publicly accessible wp-content/uploads/whatsorder_invoices/ directory, which is created without an .htaccess deny rule or index.php guard, making every invoice directly downloadable over HTTP with no authentication check.
AI Analysis
Technical Summary
CVE-2026-9612 describes a vulnerability in the WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress, affecting all versions up to and including 1.0.1. The vulnerability arises because invoice HTML files are saved in the wp-content/uploads/whatsorder_invoices/ directory, which is publicly accessible and lacks access control mechanisms like .htaccess deny rules or index.php guards. Attackers can enumerate sequential order IDs to retrieve sensitive customer information including PII and order details without authentication via the yapacdev_generate_order_pdf functionality. This constitutes an exposure of sensitive information (CWE-200).
Potential Impact
The vulnerability allows unauthenticated attackers to access sensitive customer information such as full names, email addresses, phone numbers, billing addresses, ordered items with quantities and prices, applied coupons, shipping methods, and order totals. This exposure can lead to privacy violations and potential misuse of customer data. There is no indication of impact on data integrity or availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, it is recommended to restrict access to the wp-content/uploads/whatsorder_invoices/ directory by implementing server-level access controls such as .htaccess deny rules or moving invoice files to a non-public directory. Monitoring for unauthorized access attempts to this directory is also advisable.
CVE-2026-9612: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in yapacdev WhatsOrder – Instant Checkout for WooCommerce
Description
The WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the yapacdev_generate_order_pdf. This makes it possible for unauthenticated attackers to extract sensitive customer PII and order details — including full name, email address, phone number, billing address, ordered items with quantities and prices, applied coupons, shipping method, and order total — from any customer's invoice by enumerating sequential order IDs. Invoice HTML files are written to the publicly accessible wp-content/uploads/whatsorder_invoices/ directory, which is created without an .htaccess deny rule or index.php guard, making every invoice directly downloadable over HTTP with no authentication check.
CVSS v3.1
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9612 describes a vulnerability in the WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress, affecting all versions up to and including 1.0.1. The vulnerability arises because invoice HTML files are saved in the wp-content/uploads/whatsorder_invoices/ directory, which is publicly accessible and lacks access control mechanisms like .htaccess deny rules or index.php guards. Attackers can enumerate sequential order IDs to retrieve sensitive customer information including PII and order details without authentication via the yapacdev_generate_order_pdf functionality. This constitutes an exposure of sensitive information (CWE-200).
Potential Impact
The vulnerability allows unauthenticated attackers to access sensitive customer information such as full names, email addresses, phone numbers, billing addresses, ordered items with quantities and prices, applied coupons, shipping methods, and order totals. This exposure can lead to privacy violations and potential misuse of customer data. There is no indication of impact on data integrity or availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, it is recommended to restrict access to the wp-content/uploads/whatsorder_invoices/ directory by implementing server-level access controls such as .htaccess deny rules or moving invoice files to a non-public directory. Monitoring for unauthorized access attempts to this directory is also advisable.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-26T16:28:53.424Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3b7813eed863c81e5f7326
Added to database: 06/24/2026, 06:24:19 UTC
Last enriched: 06/24/2026, 06:40:48 UTC
Last updated: 06/24/2026, 19:35:19 UTC
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.