Admin and Customer Messages After Order for WooCommerce OrderConvo Unauthorized Data Access Vulnerability

A vulnerability exists in the Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress, in all versions through 14. The issue arises from a missing capability check in the 'get_order_by_id()' function, allowing unauthenticated attackers to access sensitive WooCommerce order information and private messages between customers and store administrators. This is achieved by providing an arbitrary order ID.

Impact

Exploitation of this vulnerability allows for unauthorized access to WooCommerce order details and private conversation messages between customers and store administrators.

Reproduction

To reproduce this vulnerability, send a request to the WordPress REST API endpoint 'wooconvo/v1' with the 'get_order_by_id' slug. Include an arbitrary order ID in the request. The absence of a proper authorization check will result in the response containing the requested order details and private messages, if available.

Remediation

No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.