WordPress Plugin Vulnerabilities

WooCommerce Email Test 1.5 - Order Information Disclosure

Description

When this plugin is installed, any anonymous user can open this url

https://www.domainname.de/?woocommerce_email_test=WC_Email_Customer_Completed_Order

..which shows the last (most recent) order along with all customer details, email address and cart content.

This is a severe security/data privacy breach and unlawful in (at least) germany.

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-email-test
Fixed in 1.6

References

URL
https://plugins.trac.wordpress.org/changeset/1549532/woocommerce-email-test

Miscellaneous

Submitter
jansass GmbH
Submitter website
https://www.jansass.com
Verified
No
WPVDB ID
af787d32-ef0f-4bab-8034-fe6bf7ca7eed

Timeline

Publicly Published
2016-12-08 (about 9 years ago)
Added
2016-12-09 (about 9 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2015-02-26
Title
EasyCart 1.1.30 - 3.0.20 - Privilege Escalation
Published
2020-03-18
Title
Gutenberg & Elementor Templates Importer For Responsive < 2.2.6 - Unprotected AJAX Endpoints
Published
2012-06-01
Title
Limit Login Attempts < 1.7.1 - Auth Cookies Brute Force Bypass
Published
2015-04-09
Title
WP REST API (WP API) <= 1.2 - Post Revision Disclosure
Published
2019-05-29
Title
ConvertPlus <= 3.4.2 - Unauthenticated Arbitrary User Role Creation