Vulnerabilities and security researches foradmin-and-client-message-after-order-for-woocommerce admin-and-client-message-after-order-for-woocommerce

Jun 07, 2024

CVE, Research URL: CVE-2024-33566
Home page URL: Security reports for Admin and Customer Messages After Order for WooCommerce: OrderConvo
Application: Admin and Customer Messages After Order for WooCommerce: OrderConvo
Date: Apr 29, 2024
Research Description: Missing Authorization vulnerability in N-Media OrderConvo allows OS Command Injection.This issue affects OrderConvo: from n/a through 12.4.
Affected versions: max 12.5.
Status: vulnerable

Jan 17, 2025

CVE, Research URL: CVE-2024-13355
Home page URL: Security reports for Admin and Customer Messages After Order for WooCommerce: OrderConvo
Application: Admin and Customer Messages After Order for WooCommerce: OrderConvo
Date: Jan 16, 2025
Research Description: The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to limited file uploads due to insufficient file type validation in the upload_file() function in all versions up to, and including, 13.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload files on the affected site's server which may make remote code execution possible and is confirmed to make Cross-Site Scripting possible.
Affected versions: max 13.3.
Status: vulnerable

Nov 10, 2025

CVE, Research URL: CVE-2025-10162
Home page URL: Security reports for Admin and Customer Messages After Order for WooCommerce: OrderConvo
Application: Admin and Customer Messages After Order for WooCommerce: OrderConvo
Date: Oct 07, 2025
Research Description: The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack
Affected versions: max 14.
Status: vulnerable

Dec 11, 2025

CVE, Research URL: CVE-2025-13452
Home page URL: Security reports for Admin and Customer Messages After Order for WooCommerce: OrderConvo
Application: Admin and Customer Messages After Order for WooCommerce: OrderConvo
Date: Nov 25, 2025
Research Description: The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters.
Affected versions: max 14.
Status: vulnerable

CVE, Research URL: CVE-2025-13389
Home page URL: Security reports for Admin and Customer Messages After Order for WooCommerce: OrderConvo
Application: Admin and Customer Messages After Order for WooCommerce: OrderConvo
Date: Nov 25, 2025
Research Description: The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID.
Affected versions: max 14.
Status: vulnerable