CVE-2025-49356

Orders Chat for WooCommerce <= 1.2.0 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Orders Chat for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.0
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Research Plan
Unverified

# Research Plan: CVE-2025-49356 Missing Authorization in Orders Chat for WooCommerce ## 1. Vulnerability Summary The **Orders Chat for WooCommerce** plugin (<= 1.2.0) contains a missing authorization vulnerability within one of its AJAX handlers. While the plugin may implement nonce verification (C…

Show full research plan

Research Plan: CVE-2025-49356 Missing Authorization in Orders Chat for WooCommerce

1. Vulnerability Summary

The Orders Chat for WooCommerce plugin (<= 1.2.0) contains a missing authorization vulnerability within one of its AJAX handlers. While the plugin may implement nonce verification (CSRF protection), it fails to perform a capability check (e.g., current_user_can()) or an ownership check to ensure the authenticated user has the right to perform the requested action. This allows any authenticated user (including Subscriber-level accounts) to perform actions intended for higher roles or to interact with orders they do not own.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: Likely an AJAX action registered via wp_ajax_ (e.g., oc_send_message, ocfw_chat_action, or save_order_chat_message - inferred).
  • Authentication: Required (Subscriber level or above).
  • Payload Parameters: Typically includes an action, a nonce, and target identifiers like order_id or message_content.
  • Preconditions: The attacker must have a valid login. A victim order must exist in the system for the attacker to target.

3. Code Flow (Inferred)

  1. Registration: The plugin registers an AJAX handler in its main class or an inclusion file (e.g., includes/class-ocfw-ajax.php - inferred) using add_action( 'wp_ajax_...' , ... ).
  2. Entry Point: A Subscriber sends a POST request to admin-ajax.php.
  3. Verification: The handler function calls check_ajax_referer() or wp_verify_nonce(). Since the attacker is logged in, they can obtain a valid nonce.
  4. The Sink: The function proceeds to execute logic (e.g., inserting a row into wp_comments or a custom table, or updating order meta) without checking if the current_user_can( 'manage_woocommerce' ) or if the user is the customer associated with the order_id provided in the request.

4. Nonce Acquisition Strategy

To exploit this as a Subscriber, the attacker needs a valid nonce. Nonces in this plugin are typically localized for use in the order details or account pages.

  1. Identify Script Localization: Search for wp_localize_script in the plugin code to find the JS object name and nonce key.
    • Example search: grep -r "wp_localize_script" .
  2. Setup: Create a Subscriber user and an order assigned to an Admin (the victim order).
  3. Trigger Enqueueing: Navigate to the "My Account" page or a page where the chat widget is active as the Subscriber.
  4. Extraction:
    • Use browser_navigate to go to /my-account/.
    • Use browser_eval to extract the nonce:
      • browser_eval("window.ocfw_params?.nonce") (Replace ocfw_params with the actual JS object found during discovery).

5. Exploitation Strategy

  1. Target Identification: Use grep to find all wp_ajax_ actions in the plugin directory.
  2. Authorization Audit: Check each handler for the absence of current_user_can.
  3. Payload Construction: Prepare a POST request to admin-ajax.php.
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=[VULNERABLE_ACTION]&nonce=[EXTRACTED_NONCE]&order_id=[VICTIM_ORDER_ID]&message=Hacked

6. Test Data Setup

  1. Install WooCommerce: Ensure WooCommerce is active.
  2. Create Victim Order: Create an order (ID X) as the Admin or a different customer.
  3. Create Attacker User:
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password
  4. Plugin Config: Ensure "Orders Chat" is enabled in settings (if applicable).

7. Expected Results

  • The HTTP response should be 200 OK or a success JSON (e.g., {"success":true}).
  • The unauthorized action is committed to the database (e.g., a chat message appears on an order the subscriber does not own).

8. Verification Steps

  1. Check Database/Order: Use WP-CLI to verify the state of the victim order.
    • wp comment list --post_id=[VICTIM_ORDER_ID] (if messages are stored as comments).
    • wp db query "SELECT * FROM wp_posts WHERE post_type='ocfw_chat'" (if using custom post types - inferred).
  2. UI Verification: Log in as Admin and view the order in the WooCommerce backend to see if the unauthorized message/action is visible.

9. Alternative Approaches

  • Missing Nonce Check: If grep reveals that the handler also lacks check_ajax_referer, the exploit can be performed via CSRF (unauthenticated) if wp_ajax_nopriv_ is also used.
  • Direct ID Guessing: If the order_id is numeric and sequential, iterate through IDs to send messages to all orders in the system.
  • Settings Manipulation: If the vulnerable action is ocfw_save_settings, attempt to change global plugin options to disable security features or redirect chat traffic.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Orders Chat for WooCommerce plugin for WordPress is vulnerable to unauthorized access in versions up to 1.2.0. This occurs because the plugin's AJAX handlers verify nonces but fail to perform capability checks or verify order ownership, allowing authenticated users with subscriber-level permissions to interact with orders belonging to other customers.

Exploit Outline

To exploit this vulnerability, an attacker first logs into the WordPress site as a Subscriber-level user. They must retrieve a valid security nonce, which is typically found by inspecting localized JavaScript variables (e.g., via `wp_localize_script`) on pages where the chat functionality is loaded, such as the 'My Account' page. With the nonce and a victim's `order_id`, the attacker sends a POST request to `/wp-admin/admin-ajax.php` using the vulnerable AJAX action. The server processes the request (e.g., adding a chat message to the victim's order) because it lacks a check for `current_user_can()` or a comparison between the user ID and the order's owner.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.