What the vulnerability does
01Description
The Live sales notification for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.39. This is due to the "getOrders" function lacking proper authorization and capability checks when the plugin is configured to display recent order information. This makes it possible for unauthenticated attackers to extract sensitive customer information including buyer first names, city, state, country, purchase time and date, and product details.
Explanation of Vulnerability in Simple Terms
02Summary
PiWeb Live sales notification for WooCommerce versions up to 2.3.39 lack proper authorization checks, allowing unauthenticated attackers to read sensitive data. An attacker can access the plugin's functionality without logging in or providing credentials. This exposes customer information and sales data that should be restricted to authorized users only.
What an attacker can do
03Attacker Capabilities
Read sensitive sales and customer data without logging in.
Potential impact on your site
04Site Impact
Customer sales records and notifications may be exposed to anyone who discovers the vulnerable endpoint.
Conditions required to exploit
05Prerequisites
Network access to the WooCommerce site; no authentication or user interaction required.
Key dates
06Disclosure timeline
November 18, 2025
CVE published
April 8, 2026
Record updated