WooCommerce < 8.1.1 – Shop Manager+ User Metadata Disclosure | Plugin Vulnerabilities

Description

The plugin returns all user metadata via an AJAX action, which could allow users with a role as low as Shop Manager to access an arbitrary user's metadata which could include tokens and other potentially sensitive data

Proof of Concept

As a shop manager or product vendor admin:

Edit an order/create an order.
Search for a user (any user, including admin level users).
Select the user, then edit the billing/shipping address and use the Load (Billing|Shipping) Address tool.
Via your browser console, observe the resulting ajax request (action: woocommerce_get_customer_details) and response.

Affects Plugins

Fixed in 8.1.1

References

URL

https://hackerone.com/reports/1702658

URL

https://developer.woocommerce.com/2023/09/16/woocommerce-vulnerability-reintroduced-from-7-0-1/

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

David Anderson

Verified

Yes

WPVDB ID

bb9f355a-be33-41b1-af36-0a30c24bec8c

Timeline

Publicly Published

2023-09-11 (about 2 years ago)

Added

2023-09-11 (about 2 years ago)

Last Updated

2023-09-18 (about 2 years ago)

Other

Published

Title

Published

2024-03-11

Title

f(x) Private Site <= 1.2.1 - Sensitive Information Exposure

Published

2023-10-16

Title

404 Solution < 2.33.1 - Sensitive Information Exposure

Published

2025-11-18

Title

Quiz Maker < 6.7.0.81 - Unauthenticated Sensitive Information Exposure

Published

2025-04-03

Title

TailPress <= 0.4.4 - Unauthenticated Sensitive Information Exposure

Published

2024-08-28

Title

GiveWP < 3.16.0 - Unauthenticated Full Path Disclosure