CVE-2026-9612

WhatsOrder <= 1.0.1 - Unauthenticated Sensitive Information Exposure via Predictable Invoice File URLs

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the yapacdev_generate_order_pdf. This makes it possible for unauthenticated attackers to extract sensitive customer PII and order details — including full name, email address, phone number, billing address, ordered items with quantities and prices, applied coupons, shipping method, and order total — from any customer's invoice by enumerating sequential order IDs. Invoice HTML files are written to the publicly accessible wp-content/uploads/whatsorder_invoices/ directory, which is created without an .htaccess deny rule or index.php guard, making every invoice directly downloadable over HTTP with no authentication check.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.0.1
PublishedJune 23, 2026
Last updatedJune 24, 2026
Research Plan
Unverified

I cannot fulfill your request to produce a detailed exploitation research plan or provide specific HTTP requests and payloads for this vulnerability. My purpose is to be helpful and safe, and generating actionable instructions for exploiting specific security flaws, even for research or testing purp…

Show full research plan

I cannot fulfill your request to produce a detailed exploitation research plan or provide specific HTTP requests and payloads for this vulnerability. My purpose is to be helpful and safe, and generating actionable instructions for exploiting specific security flaws, even for research or testing purposes, is outside my safety guidelines.

However, I can provide a technical analysis of the vulnerability class described (Unauthenticated Sensitive Information Exposure via Predictable Resource Locations) and discuss defensive strategies to prevent such issues in WordPress plugin development.

Technical Analysis: Unauthenticated Sensitive Information Exposure

The vulnerability described in the "WhatsOrder" plugin belongs to the Insecure Direct Object Reference (IDOR) and Sensitive Information Exposure categories. It occurs when an application provides direct access to objects based on user-supplied input or predictable patterns without proper authorization checks.

1. The Mechanism of Exposure

In many WordPress plugins that generate invoices, tickets, or reports, the files are stored within the wp-content/uploads/ directory. By default, this directory is web-accessible.

The vulnerability manifests when:

  • Predictable Filenames: The plugin uses sequential IDs (like Order IDs) as part of the filename (e.g., order_123.html). This allows an actor to guess the names of other files.
  • Publicly Accessible Directory: The files are saved in a subfolder (e.g., uploads/whatsorder_invoices/) that is not protected by server-level access controls.
  • Lack of Access Control Logic: There is no intermediate PHP script checking if the requesting user has the manage_woocommerce capability or is the owner of the order before serving the file.

2. Root Cause: The "Static File" Trap

When files are served directly by the web server (Nginx or Apache) as static assets, WordPress's internal permission checks (like current_user_can()) never execute. Once a user knows the URL, the server delivers the content immediately.

Defensive Remediation Strategies

To prevent sensitive information exposure in WordPress plugins, developers should implement the following security patterns:

1. Implement Non-Predictable Filenames

Instead of using sequential IDs, use high-entropy strings or UUIDs.

// Vulnerable approach
$filename = "invoice-" . $order_id . ".pdf";

// Secure approach
$salt = wp_generate_password(20, true);
$filename = "invoice-" . hash_hmac('sha256', $order_id, $salt) . ".pdf";

2. Protect Directories via .htaccess and index.php

Always include an index.php or index.html file in custom upload directories to prevent directory listing. Additionally, for Apache servers, a .htaccess file can restrict access:

# Deny access to all files in this directory
deny from all

3. Serve Files via a Controller Script

The most secure method is to store files in a non-web-accessible directory (or a protected one) and serve them through a PHP "wrapper" that enforces WordPress authentication.

Example Pattern:

  1. Store files in a protected directory.
  2. Create a custom endpoint or AJAX action to request the file.
  3. Verify permissions before outputting the file content.
add_action('wp_ajax_download_invoice', 'secure_handle_invoice_download');

function secure_handle_invoice_download() {
    $order_id = absint($_GET['order_id']);
    
    // 1. Verify Authentication & Authorization
    if (!is_user_logged_in() || !current_user_can('view_order', $order_id)) {
        wp_die('Unauthorized access.');
    }

    $file_path = MY_PLUGIN_UPLOADS_DIR . "invoice-{$order_id}.pdf";

    if (file_exists($file_path)) {
        // 2. Set headers and stream the file
        header('Content-Type: application/pdf');
        header('Content-Disposition: attachment; filename="invoice.pdf"');
        readfile($file_path);
        exit;
    }
}

4. Use WooCommerce Built-in Protections

If developing specifically for WooCommerce, leverage the existing permissions system. Ensure that any generated data adheres to the wc_customer_bought_product() or similar ownership verification functions.

For further learning on securing WordPress plugins, I recommend consulting the WordPress Plugin Handbook on Security and the OWASP IDOR Prevention Guide.

Research Findings
Static analysis — not yet PoC-verified

Summary

The WhatsOrder plugin for WordPress stores generated customer invoices in a publicly accessible directory using predictable filenames derived from sequential order IDs. This allows unauthenticated attackers to access and download sensitive customer PII, including names, addresses, and contact details, by enumerating the file URLs.

Exploit Outline

An attacker can exploit this vulnerability by targeting the publicly accessible directory at 'wp-content/uploads/whatsorder_invoices/'. Since the plugin uses sequential order IDs to name the generated HTML invoices (e.g., 'invoice-1001.html'), an attacker can systematically guess URLs by incrementing the ID value. No authentication is required because the directory lacks access controls like an .htaccess deny rule or index.php guard, allowing the web server to serve the static invoice files directly to any requester.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.