CVE-2025-15484

CVE-2025-15484: Order Notification for WooCommerce < 3.6.3 - Unauthenticated WooCommerce REST Permission Bypass

Vendor Unknown

Product Order Notification for WooCommerce

Published April 1, 2026

Last update April 1, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

The Order Notification for WooCommerce WordPress plugin before 3.6.3 overrides WooCommerce's permission checks to grant full access to all unauthenticated requests, enabling complete read/write access to store resources like products, coupons, and customers.

Key dates

Disclosure timeline

April 1, 2026 CVE published

April 1, 2026 Record updated