Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total4
Critical0
High1
Medium3
Reset
Showing 1-4 of 4 records
Threat Entry Updated 2025-11-25

CVE-2025-13389 - Orderconvo Plugin

The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for unauthenticated attackers to view sensitive WooCommerce order details and private conversation messages between customers and store administrators for any order by supplying an arbitrary order ID.

PLUGIN Orderconvo

CVE-2025-13389

MEDIUM CVSS 5.3 2025-11-25
Open Full Technical Breakdown
Threat Entry Updated 2025-11-25

CVE-2025-13452 - Orderconvo Plugin

The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14. This is due to a flawed permission check in the REST API permission callback that returns true when no nonce is provided. This makes it possible for unauthenticated attackers to impersonate any WordPress user and inject arbitrary messages into any WooCommerce order conversation by directly calling the REST endpoint with controlled user_id, order_id, and context parameters.

PLUGIN Orderconvo

CVE-2025-13452

MEDIUM CVSS 4.3 2025-11-25
Open Full Technical Breakdown
Threat Entry Updated 2025-10-08

CVE-2025-10162 - Orderconvo Plugin

The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack

PLUGIN Orderconvo

CVE-2025-10162

HIGH CVSS 7.5 2025-10-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2024-13355 - Orderconvo Plugin

The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to limited file uploads due to insufficient file type validation in the upload_file() function in all versions up to, and including, 13.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload files on the affected site's server which may make remote code execution possible and is confirmed to make Cross-Site Scripting possible.

PLUGIN Orderconvo

CVE-2024-13355

MEDIUM CVSS 5.4 2025-01-16
Open Full Technical Breakdown
Scroll to top