Admin and Customer Messages After Order for WooCommerce Missing Authorization Vulnerability

A missing authorization vulnerability has been identified in the Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress, affecting all versions through 14. The vulnerability arises from a flawed permission check in the REST API callback, which incorrectly allows requests without a nonce. This flaw enables unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into WooCommerce order conversations by manipulating the user_id, order_id, and context parameters in the REST endpoint.

Impact

Exploitation of this vulnerability allows for unauthorized user impersonation and injection of messages into WooCommerce order conversations.

Reproduction

To reproduce this vulnerability, send a request to the vulnerable REST API endpoint without a nonce. Include the user_id, order_id, and context parameters. The absence of a nonce will bypass the authorization check, allowing the injection of messages into the specified order conversation as the impersonated user.