CVE-2025-49356
Lifecycle Timeline
2Description
Missing Authorization vulnerability in Mykola Lukin Orders Chat for WooCommerce orders-chat-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Orders Chat for WooCommerce: from n/a through <= 1.2.0.
Analysis
Orders Chat for WooCommerce plugin versions up to 1.2.0 fail to properly enforce access controls on chat functionality, allowing attackers to bypass authentication checks and access or manipulate order chat data through incorrectly configured security levels. This broken access control vulnerability (CWE-862) affects WordPress installations using the vulnerable plugin, with no public exploit code identified but confirmed exploitability of authorization bypass mechanics. EPSS probability is low at 0.04%, suggesting limited real-world exploitation likelihood despite the authorization flaw.
Technical Context
The vulnerability resides in the Orders Chat for WooCommerce WordPress plugin, a WooCommerce extension that facilitates customer-merchant communication around orders. The root cause is CWE-862 (Missing Authorization), which means the application fails to properly validate that users have appropriate permissions before granting access to chat functionality or associated order data. WordPress plugins commonly interact with WooCommerce REST API endpoints and admin AJAX handlers; insufficient authorization checks in these handlers allow unauthorized users to perform actions they should not be permitted to execute. The vulnerability likely stems from missing capability checks (wp_verify_nonce, current_user_can checks) in functions that handle chat message retrieval, creation, or modification.
Affected Products
The Orders Chat for WooCommerce plugin, developed by Mykola Lukin, is affected in all versions from inception through version 1.2.0. The plugin is a WordPress extension requiring WooCommerce active on WordPress installations. Affected users are site administrators running the plugin on any version equal to or older than 1.2.0. The Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/orders-chat-for-woocommerce/vulnerability/wordpress-orders-chat-for-woocommerce-plugin-1-2-0-broken-access-control-vulnerability?_s_id=cve) provides additional details and may reference patched versions.
Remediation
Update the Orders Chat for WooCommerce plugin to the latest version beyond 1.2.0. WordPress administrators should navigate to Plugins > Installed Plugins, locate Orders Chat for WooCommerce, and click Update if available. If no update is immediately available, deactivate and uninstall the plugin until a patched version is released by the developer. Verify the patched version through the official WordPress plugin directory (wordpress.org/plugins/orders-chat-for-woocommerce) or the Patchstack advisory. Additionally, review WordPress user roles and capabilities to ensure only trusted administrators have access to WooCommerce order management and chat data. No alternative workaround addresses the authorization logic flaw; patching is the definitive remediation.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today