Whatsorder Instant Checkout For Woocommerce
Monthly
Unauthenticated mass PII harvesting is possible on any WordPress site running the WhatsOrder - Instant Checkout for WooCommerce plugin (all versions through 1.0.1) because the plugin writes customer invoice HTML files to a publicly accessible directory with no access restrictions. The `yapacdev_generate_order_pdf` function deposits invoices under `wp-content/uploads/whatsorder_invoices/` without generating an `.htaccess` deny rule or `index.php` guard, and because WooCommerce uses predictable sequential order IDs, any remote attacker can enumerate and download every customer invoice with no authentication. Exposed data includes full name, email, phone number, billing address, itemized order contents with pricing, applied coupon codes, shipping method, and order total. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Unauthenticated mass PII harvesting is possible on any WordPress site running the WhatsOrder - Instant Checkout for WooCommerce plugin (all versions through 1.0.1) because the plugin writes customer invoice HTML files to a publicly accessible directory with no access restrictions. The `yapacdev_generate_order_pdf` function deposits invoices under `wp-content/uploads/whatsorder_invoices/` without generating an `.htaccess` deny rule or `index.php` guard, and because WooCommerce uses predictable sequential order IDs, any remote attacker can enumerate and download every customer invoice with no authentication. Exposed data includes full name, email, phone number, billing address, itemized order contents with pricing, applied coupon codes, shipping method, and order total. No public exploit code has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.