Live sales notification for WooCommerce < 2.3.40 – Missing Authorization to Unauthenticated Customer Data Exposure | CVE 2025-12955 | Plugin Vulnerabilities

Description

The Live sales notification for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.39. This is due to the "getOrders" function lacking proper authorization and capability checks when the plugin is configured to display recent order information. This makes it possible for unauthenticated attackers to extract sensitive customer information including buyer first names, city, state, country, purchase time and date, and product details.

Affects Plugins

live-sales-notifications-for-woocommerce

Fixed in 2.3.40

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1cebcf16-ae7f-45c4-8e1d-80ede4c32106

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Athiwat Tiprasaharn (Jitlada)

Verified

No

WPVDB ID

2b3110fb-95c9-476c-ab28-a710c0aab8b7

Timeline

Publicly Published

2025-11-17 (about 6 months ago)

Added

2025-11-17 (about 6 months ago)

Last Updated

2025-11-18 (about 6 months ago)

Other

Published

Title

Published

2024-11-05

Title

Video Gallery for WooCommerce < 1.32 - Missing Authorization to Unauthenticated Limited File Deletion

Published

2022-11-16

Title

Donation Button <= 4.0.0 - Subscriber+ Broken Access Control leading to SMS Spam

Published

2025-01-06

Title

Host PHP Info <= 1.0.4 - Missing Authorization to Unauthenticated Sensitive Information Disclosure

Published

2022-12-23

Title

Waiting: One-click countdowns <= 0.6.2 - Missing Authorization

Published

2025-10-19

Title

Business Directory < 6.4.19 - Missing Authorization