Vulnerabilities and security researches forwoo-order-splitter woo-order-splitter

Apr 03, 2025

CVE, Research URL: CVE-2025-31089
Home page URL: Security reports for Order Splitter for WooCommerce
Application: Order Splitter for WooCommerce
Date: Apr 02, 2025
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Fahad Mahmood Order Splitter for WooCommerce allows SQL Injection. This issue affects Order Splitter for WooCommerce: from n/a through 5.3.0.
Affected versions: max 5.3.1.
Status: vulnerable

Feb 27, 2026

CVE, Research URL: CVE-2025-12075
Home page URL: Security reports for Order Splitter for WooCommerce
Application: Order Splitter for WooCommerce
Date: Feb 18, 2026
Research Description: The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wos_troubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view information pertaining to other user's orders.
Affected versions: max 5.3.6.
Status: vulnerable