cleantalk
Vulnerabilities and Security Researches

Admin and Customer Messages After Order for WooCommerce: OrderConvo, CVE-2025-13389

CVE, Research URL

CVE-2025-13389

Home page URL

Security reports for Admin and Customer Messages After Order for WooCommerce: OrderConvo

Application

Admin and Customer Messages After Order for WooCommerce: OrderConvo

Published on
Nov 25, 2025
Research Description
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID.
Affected versions
max 14.
Status
vulnerable
Previous vulnerability researches
Admin and Customer Messages After Order for WooCommerce: OrderConvo (CVE-2024-13355) , Jan 17, 2025
Admin and Customer Messages After Order for WooCommerce: OrderConvo (CVE-2025-13452) , Dec 11, 2025
Admin and Customer Messages After Order for WooCommerce: OrderConvo (CVE-2025-13389) , Dec 11, 2025
Admin and Customer Messages After Order for WooCommerce: OrderConvo (CVE-2024-33566) , Jun 07, 2024
Admin and Customer Messages After Order for WooCommerce: OrderConvo (CVE-2025-10162) , Nov 10, 2025
New vulnerability
OOPSpam Anti-Spam (CVE-2026-32544) , Mar 31, 2026
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor (CVE-2026-27042) , Mar 31, 2026
The Conference (CVE-2026-32335) , Mar 31, 2026
WP Booking System – Booking Calendar (CVE-2025-68515) , Mar 31, 2026
UPI QR Code Payment Gateway for WooCommerce (CVE-2025-67969) , Mar 31, 2026