Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship <= 3.2.0 – Insecure Direct Object Reference to Authenticated (Subscriber+) View Order Tracking Details | CVE 2025-5816 | Plugin Vulnerabilities

Description

The Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.0 via the get_order_detail() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's orders.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/48509d43-57bb-452c-b39b-905354a273f3

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

ch4r0n

Verified

No

WPVDB ID

854ed578-39af-467d-aa0c-893f24483a27

Timeline

Publicly Published

2025-07-17 (about 9 months ago)

Added

2025-07-17 (about 9 months ago)

Last Updated

2025-07-18 (about 9 months ago)

Other

Published

Title

Published

2024-12-11

Title

Car Dealer < 4.48 - Missing Authorization

Published

2024-06-28

Title

Uncanny Automator Pro < 5.3.0.1 - Missing Authorization to Unauthenticated License Setting Reset

Published

2022-03-28

Title

RSVP and Event Management < 2.7.8 - Unauthenticated Entries Export

Published

2023-12-27

Title

WooCommerce Shipping Per Product < 2.5.5 - Missing Authorization

Published

2025-04-04

Title

Woocommerce Products Reorder Drag Drop Multiple Sort – Sortable, Rearrange Products Vagonic <= 1.9 - Missing Authorization