CVE-2025-13452

Name of the Vulnerable Software and Affected Versions Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress versions up to and including 14

Description The software is susceptible to a missing authorization issue. A flawed permission check in the REST API permission callback allows attackers to bypass authentication when no nonce is provided. This enables unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation. Attackers can achieve this by directly calling the REST endpoint with controlled user id, order id, and context parameters.

Recommendations Versions prior to and including 14 should be updated.