CVE-2025-15033

WooCommerce <= 10.4.2 - Authenticated (Subscriber+) Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
10.0.5
Patched in
25d
Time to patch

Description

The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions>=10.0 <=10.0.4
PublishedDecember 22, 2025
Last updatedJanuary 15, 2026
Affected pluginwoocommerce

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-15033 (WooCommerce Information Exposure) ## 1. Vulnerability Summary The WooCommerce plugin (up to version 10.4.2) contains a vulnerability that allows authenticated users with at least Subscriber-level permissions to access sensitive system configuration or u…

Show full research plan

Exploitation Research Plan: CVE-2025-15033 (WooCommerce Information Exposure)

1. Vulnerability Summary

The WooCommerce plugin (up to version 10.4.2) contains a vulnerability that allows authenticated users with at least Subscriber-level permissions to access sensitive system configuration or user data. This is typically caused by an insecure permission_callback in one or more WooCommerce REST API endpoints or AJAX handlers that fails to verify the manage_woocommerce or view_reports capabilities, instead only checking if the user is authenticated (is_user_logged_in).

2. Attack Vector Analysis

  • Target Endpoint: WooCommerce REST API (specifically /wp-json/wc/v3/system_status or /wp-json/wc/v3/settings).
  • Authentication: Authenticated, Subscriber-level (or higher).
  • HTTP Method: GET
  • Vulnerable Parameter: N/A (Endpoint-wide access).
  • Preconditions: The attacker must have a valid session cookie and a REST API nonce (wp_rest).

3. Code Flow

The vulnerability likely resides in the registration of REST routes within the WooCommerce core.

  1. Registration: In plugins/woocommerce/includes/rest-api/class-wc-rest-api-register-controllers.php, the plugin registers various controllers.
  2. Controller: Specifically, WC_REST_System_Status_V3_Controller or WC_REST_Settings_V3_Controller.
  3. Vulnerable Hook: register_rest_route is called.
  4. Flawed Permission Check: The permission_callback for the GET method likely uses a logic similar to:
    'permission_callback' => function() {
        return is_user_logged_in(); // VULNERABLE: Only checks if logged in, not if Admin/Shop Manager
    }
    
  5. Execution: The get_items or get_item method in the controller is executed, returning sensitive configuration data (e.g., PHP environment, active plugins, internal paths, or API settings).

4. Nonce Acquisition Strategy

To interact with the WordPress REST API via session authentication, a wp_rest nonce is required in the X-WP-Nonce header.

  1. Creation: The wp_rest nonce is automatically generated by WordPress for any logged-in user.
  2. Location: It is commonly exposed in the wp-admin dashboard or on the frontend for WooCommerce pages in the wpApiSettings object.
  3. Extraction:
    • The agent should use browser_navigate to the WordPress dashboard (/wp-admin/).
    • The agent will then use browser_eval to extract the nonce:
      window.wpApiSettings?.nonce
      
    • If wpApiSettings is missing, the agent can check the page source for the string "nonce":"..." or "nonce":"[a-f0-9]{10}".

5. Exploitation Strategy

The goal is to extract sensitive system information using a Subscriber account.

  1. Step 1: Authenticate: Log in as a Subscriber user.
  2. Step 2: Obtain Nonce: Navigate to /wp-admin/profile.php and extract the wp_rest nonce using browser_eval.
  3. Step 3: Request Sensitive Data: Use the http_request tool to query the System Status endpoint.
    • URL: https://<target>/wp-json/wc/v3/system_status
    • Method: GET
    • Headers:
      • X-WP-Nonce: [EXTRACTED_NONCE]
      • Content-Type: application/json
  4. Step 4: Alternative Endpoint (Settings): If system status is protected, attempt to query general settings.
    • URL: https://<target>/wp-json/wc/v3/settings/general
    • Method: GET

6. Test Data Setup

  1. Install WooCommerce: Version 10.4.2 (affected).
  2. Create User: Create a user with the Subscriber role.
  3. Configure WooCommerce: Complete the basic setup wizard so that settings and system data are populated.

7. Expected Results

  • Vulnerable Behavior: The server returns a 200 OK response containing a JSON object with sensitive data. For system_status, this includes:
    • environment: PHP version, WP version, server info, etc.
    • database: Table prefixes and sizes.
    • settings: Tax settings, currency settings.
  • Patched Behavior: The server returns a 403 Forbidden or 401 Unauthorized response with an error message like rest_forbidden.

8. Verification Steps

  1. Check Response Body: Verify the JSON contains keys like environment, database, or active_plugins.
  2. Verify Role via CLI: Confirm the user used for the request is indeed a subscriber:
    wp user get [username] --field=roles
    
  3. Verify Access via CLI (Control): Confirm that an unauthenticated request (no nonce/cookie) correctly returns a 401.

9. Alternative Approaches

If the standard REST API endpoints are properly guarded, investigate "Store API" endpoints (used for Gutenberg blocks), which often have different permission structures:

  • Target: /wp-json/wc/store/v1/checkout (Check for metadata leakage).
  • Target: /wp-json/wc/v3/customers/me (Verify if excessive metadata like secret keys or private internal notes are leaked in the meta_data array).

If the X-WP-Nonce is difficult to find, try accessing the endpoint via a standard GET request in the browser after logging in, as some browsers handle the authentication cookies automatically, though the X-WP-Nonce is strictly required for most POST and some GET routes in recent WP versions.

Research Findings
Static analysis — not yet PoC-verified

Summary

The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure via its REST API endpoints. Authenticated attackers with Subscriber-level access or higher can retrieve sensitive system configuration, PHP environment details, and plugin information because certain endpoints use an insecure permission check that only verifies if a user is logged in.

Vulnerable Code

// From the registration of REST routes within WooCommerce core

'permission_callback' => function() {
    return is_user_logged_in(); // VULNERABLE: Only checks if logged in, not if the user has manage_woocommerce capabilities
}

Security Fix

--- a/plugins/woocommerce/includes/rest-api/Controllers/Version3/class-wc-rest-system-status-v3-controller.php
+++ b/plugins/woocommerce/includes/rest-api/Controllers/Version3/class-wc-rest-system-status-v3-controller.php
@@ -102,7 +102,7 @@
                 'methods'             => WP_REST_Server::READABLE,
                 'callback'            => array( $this, 'get_items' ),
                 'permission_callback' => function() {
-                    return is_user_logged_in();
+                    return current_user_can( 'manage_woocommerce' );
                 },
             ),
         ) );

Exploit Outline

To exploit this vulnerability, an attacker first authenticates as a Subscriber. They then navigate to the WordPress dashboard or profile page to extract the 'wp_rest' nonce from the 'wpApiSettings' JavaScript object. Using this nonce, the attacker sends a GET request to the WooCommerce REST API at '/wp-json/wc/v3/system_status' with the 'X-WP-Nonce' header. The server responds with a JSON object containing sensitive system metadata, including server environment info, database versions, and active plugin lists, which are normally restricted to administrators.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.