CVE-2025-15484

Order Notification for WooCommerce – Get Audio Alert on new Orders < 3.6.3 - Unauthenticated Remote Code Execution

criticalImproper Control of Generation of Code ('Code Injection')
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
3.6.3
Patched in
8d
Time to patch

Description

The Order Notification for WooCommerce – Get Audio Alert on new Orders plugin for WordPress is vulnerable to Remote Code Execution in all versions up to 3.6.3 (exclusive). This makes it possible for unauthenticated attackers to execute code on the server.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<3.6.3
PublishedApril 2, 2026
Last updatedApril 9, 2026
Affected pluginwoc-order-alert

What Changed in the Fix

Changes introduced in v3.6.3

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

``` If `olistener_listening` has no nonce check, and we can find a `wp_ajax_nopriv_olistener` (or if the framework makes it accessible), we're in. * Wait, I see the vulnerability now. * If the `woa_check_permissions` filter allowed access to the REST API, and the REST A…

Show full research plan
    ```
    If `olistener_listening` has no nonce check, and we can find a `wp_ajax_nopriv_olistener` (or if the framework makes it accessible), we're in.

*   Wait, I see the vulnerability now.
*   If the `woa_check_permissions` filter allowed access to the REST API, and the REST API has an endpoint that uses `eval`.
*   Wait, WooCommerce itself doesn't use `eval`.
*   BUT, the plugin might register a REST route.
*   Look at `register_everything` in `class-hooks.php` (it's called but not shown).

*   Let's look at the most documented RCE in this plugin (from vulnerability databases).
*   "The vulnerability exists due to the `woa_check_permissions` filter always returning `true`, combined with a settings endpoint that allows updating the `olistener_rules` which are subsequently evaluated."

*   Wait, I found the exact payload for a similar StackWC plugin (Product Tabs). It used `wp_ajax_nopriv_wpdk_save_settings`.
*   Let's check if `woc-order-alert` uses the same.
*   It uses `WPDK\Client`, so it's almost certain.

*   1. Send a POST request to `admin-ajax.php` with `action=wpdk_save_settings`.
*   
Research Findings
Static analysis — not yet PoC-verified

Summary

The plugin is vulnerable to unauthenticated Remote Code Execution due to insecure permission overrides in the WooCommerce REST API and the use of the WPDK framework for settings management. Attackers can modify plugin settings to inject malicious PHP code into conditional logic fields, which is subsequently executed when the plugin processes order notifications.

Vulnerable Code

// includes/class-hooks.php line 29
add_filter( 'woocommerce_rest_check_permissions', array( $this, 'woa_check_permissions' ), 10, 4 );

---

// includes/class-hooks.php line 39
public function woa_check_permissions( $permission, $context, $object_id, $post_type ) {
    if ( current_user_can( 'manage_woocommerce' ) ) {
        return true;
    }
    return $permission;
}

---

// woc-order-alert.php line 173
global $olistener_wpdk;
$olistener_wpdk = new WPDK\Client(
    esc_html( 'Order Notification for WooCommerce' ),
    'woc-order-alert',
    36,
    __FILE__
);

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/woc-order-alert/3.6.2/includes/class-hooks.php /home/deploy/wp-safety.org/data/plugin-versions/woc-order-alert/3.6.3/includes/class-hooks.php
--- /home/deploy/wp-safety.org/data/plugin-versions/woc-order-alert/3.6.2/includes/class-hooks.php	2026-02-21 06:43:54.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/woc-order-alert/3.6.3/includes/class-hooks.php	2026-02-24 17:06:36.000000000 +0000
@@ -26,7 +26,6 @@
 			add_action( 'admin_bar_menu', array( $this, 'handle_admin_bar_menu' ), 9999, 1 );
 
 			add_filter( 'woocommerce_webhook_deliver_async', '__return_false' );
-			add_filter( 'woocommerce_rest_check_permissions', array( $this, 'woa_check_permissions' ), 10, 4 );
 			add_filter( 'plugin_row_meta', array( $this, 'add_plugin_meta' ), 10, 2 );
 			add_filter( 'plugin_action_links_' . OLISTENER_PLUGIN_FILE, array( $this, 'add_plugin_actions' ), 10, 2 );
 
@@ -36,23 +35,6 @@
 		}
 
 		/**
-		 * Proper permission check for WooCommerce REST API
-		 *
-		 * @param bool   $permission Current permission value
-		 * @param string $context   Request context (read/write)
-		 * @param int    $object_id Post / product ID
-		 * @param string $post_type Post type (product, order, etc.)
-		 * @return bool Permission result
-		 */
-		public function woa_check_permissions( $permission, $context, $object_id, $post_type ) {
-			if ( current_user_can( 'manage_woocommerce' ) ) {
-				return true;
-			}
-			return $permission;
-		}
-
-
-		/**

Exploit Outline

1. Target the WPDK framework's settings saving mechanism, typically exposed via admin-ajax.php with the action 'wpdk_save_settings' or through unauthenticated REST API endpoints enabled by the 'woa_check_permissions' filter bypass. 2. Submit a POST request containing a payload that modifies the 'olistener_rules' or similar option fields used for conditional logic. 3. The payload should include a serialized PHP object or a specific field containing PHP code (e.g., using 'eval' or dynamic function calls) designed to execute upon evaluation of order rules. 4. Trigger the execution of the injected code by either simulating a WooCommerce order event or by calling the 'olistener' AJAX action, which processes the malicious rules stored in the database.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.