CVE-2025-1284
Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) <= 4.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Order Information Disclosure
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) <= 4.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Order Information Disclosure
The Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xc_woo_printer_preview AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's invoices and orders which can contain sensitive information.
Reserved 2025-02-13 | Published 2025-04-24 | Updated 2025-04-24 | Assigner WordfenceCWE-639 Authorization Bypass Through User-Controlled Key
| 2025-04-23: | Disclosed |
Lucio Sá
www.wordfence.com/...-4b56-46c0-becd-75fd16f165a8?source=cve
codecanyon.net/item/woocommerce-google-cloud-print/21129093
Support options
