Vulnerabilities and security researches foradmin-and-client-message-after-order-for-woocommerce admin-and-client-message-after-order-for-woocommerce

Jun 07, 2024

CVE, Research URL: CVE-2024-33566
Home page URL: Security reports for Admin and Customer Messages After Order for WooCommerce: OrderConvo
Application: Admin and Customer Messages After Order for WooCommerce: OrderConvo
Date: Apr 29, 2024
Research Description: Missing Authorization vulnerability in N-Media OrderConvo allows OS Command Injection.This issue affects OrderConvo: from n/a through 12.4.
Affected versions: max 12.5.
Status: vulnerable

Jan 17, 2025

CVE, Research URL: CVE-2024-13355
Home page URL: Security reports for Admin and Customer Messages After Order for WooCommerce: OrderConvo
Application: Admin and Customer Messages After Order for WooCommerce: OrderConvo
Date: Jan 16, 2025
Research Description: The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to limited file uploads due to insufficient file type validation in the upload_file() function in all versions up to, and including, 13.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload files on the affected site's server which may make remote code execution possible and is confirmed to make Cross-Site Scripting possible.
Affected versions: max 13.3.
Status: vulnerable

Nov 10, 2025

CVE, Research URL: CVE-2025-10162
Home page URL: Security reports for Admin and Customer Messages After Order for WooCommerce: OrderConvo
Application: Admin and Customer Messages After Order for WooCommerce: OrderConvo
Date: Oct 07, 2025
Research Description: The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack
Affected versions: max 14.
Status: vulnerable