What the vulnerability does
01Description
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters.
Explanation of Vulnerability in Simple Terms
02Summary
OrderConvo, a WooCommerce messaging plugin by nmedia, contains an authorization flaw in versions 14 and earlier. An authenticated user with low privileges can modify message data they should not have access to. The vulnerability requires a valid WordPress account but no special interaction. Update to a version newer than 14.
What an attacker can do
03Attacker Capabilities
Modify order messages or conversation data belonging to other users or orders.
Potential impact on your site
04Site Impact
Customers or staff could have their order messages altered or deleted by other authenticated users.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with at least low-level privileges.
Key dates
06Disclosure timeline
November 25, 2025
CVE published
April 8, 2026
Record updated