CVE-2025-13452 MEDIUM

CVE-2025-13452: Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated User Impersonation in Order Messages

Vendor Nmedia
Product Admin and Customer Messages After Order for WooCommerce: OrderConvo
Weakness CWE-639 · IDOR
Published November 25, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters.

Explanation of Vulnerability in Simple Terms

02Summary

OrderConvo, a WooCommerce messaging plugin by nmedia, contains an authorization flaw in versions 14 and earlier. An authenticated user with low privileges can modify message data they should not have access to. The vulnerability requires a valid WordPress account but no special interaction. Update to a version newer than 14.

What an attacker can do

03Attacker Capabilities

Modify order messages or conversation data belonging to other users or orders.

Potential impact on your site

04Site Impact

Customers or staff could have their order messages altered or deleted by other authenticated users.

Conditions required to exploit

05Prerequisites

Attacker must have a valid WordPress user account with at least low-level privileges.

Key dates

06Disclosure timeline

November 25, 2025 CVE published
April 8, 2026 Record updated