Live Sales Notification for WooCommerce Missing Authorization Vulnerability Allowing Customer Data Exposure
Vulnerability
A vulnerability exists in the Live Sales Notification for WooCommerce plugin for WordPress, in all versions through 2.3.39. The issue arises from the 'getOrders' function, which fails to implement proper authorization and capability checks when the plugin is set to display recent order information. This oversight enables unauthenticated attackers to access sensitive customer data, including first names, location details, purchase timestamps, and product information.
Impact
Exploitation of this vulnerability allows for unauthorized access to sensitive customer information, including names, addresses, purchase details, and product information.
Reproduction
To reproduce this vulnerability, activate the Live Sales Notification for WooCommerce plugin version 2.3.39 or earlier. Ensure the plugin is configured to display recent order information. Once set, send an AJAX request to the 'wc_ajax_pisol_live_orders' endpoint without authentication. The response will include sensitive customer data from recent orders, demonstrating the missing authorization flaw.
Remediation
Users are advised to update the Live Sales Notification for WooCommerce plugin to version 2.3.40 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.