WooCommerce < 10.0 – Shop Manager PII Leak in Multisite | Plugin Vulnerabilities

Description

The plugin does not properly restrict the REST API Key associated with a shop manager or higher and linked to an individual site within a multisite network, which can be used to read information about arbitrary users from across the network, even if those users were not added to the site in question.

Proof of Concept

1.) Set up two sites on a multisite setup - site 1 and site 2
2.) Add new users for each site
3.) Generate an API key with a shop manager role for site 1
4.) Make a request using the API keys to /wp-json/wc/v3/customers/<user_id_of_site_2>

Affects Plugins

Fixed in 10.0

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Barry Hughes

Verified

Yes

WPVDB ID

7a380aca-4579-4a38-b566-4c4e9ef049f5

Timeline

Publicly Published

2025-07-21 (about 8 months ago)

Added

2025-07-21 (about 8 months ago)

Last Updated

2025-07-21 (about 8 months ago)

Other

Published

Title

Published

2024-08-01

Title

Ebook Store < 5.8002 - Unauthenticated Full Path Disclosure

Published

2025-12-31

Title

BoomDevs WordPress Coming Soon <= 1.0.4 - Unauthenticated Information Exposure

Published

2024-04-10

Title

Element Pack Elementor Addons < 5.6.0 - Sensitive Information Exposure via element_pack_ajax_search

Published

2025-09-26

Title

FoodBook < 4.7.7 - Unauthenticated Sensitive Information Exposure

Published

2025-11-04

Title

AI Engine < 3.1.4 - Unauthenticated Privilege Escalation