WooCommerce < 7.9.0 – Sensitive Information Exposure | Plugin Vulnerabilities

Description

The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract sensitive user information including PII(Personal Identifiable Information).

Affects Plugins

Fixed in 7.9.0

References

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7b2d1879-c337-41c9-9f47-f9c2fe8e5928

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

osama-hamad

Verified

No

WPVDB ID

9c9498b0-d42e-4ce0-b299-ba5d08058a75

Timeline

Publicly Published

2023-09-11 (about 2 years ago)

Added

2023-11-23 (about 2 years ago)

Last Updated

2023-12-10 (about 2 years ago)

Other

Published

Title

Published

2025-09-26

Title

Stackable < 3.19.0 - Authenticated (Contributor+) Sensitive Information Exposure

Published

2025-11-04

Title

KiotViet Sync <= 1.8.5 - Unauthenticated Webhook Key Exposure

Published

2021-11-11

Title

Like Button Rating < 2.6.38 - Unauthorised Vote Export to Email & IP Addresses Disclosure

Published

2022-10-24

Title

Phone Orders for WooCommerce < 3.7.2 - Subscriber+ Sensitive Data Exposure

Published

2020-01-03

Title

BuddyPress 5.0.0-5.1.1 - Private Data Exposure via REST API