WordPress is one of the most popular platforms for building e-commerce websites, and WooCommerce is its go-to plugin for adding shopping cart functionality. Many shop owners use add-ons to make order management easier, like the "Phone Orders for WooCommerce" plugin. Unfortunately, in late 2022, a serious vulnerability was discovered in this plugin that could allow even low-privileged user accounts (like subscribers) to access sensitive information that should be locked down.
This article dives deep into CVE-2022-41655, how it works, what's at risk, and how to protect your store.
What Is CVE-2022-41655?
CVE-2022-41655 is an Authenticated Sensitive Data Exposure vulnerability in the "Phone Orders for WooCommerce" plugin, versions up to and including 3.7.1. This means that any logged-in user, even with only "subscriber" access (which normally can’t view orders), could exploit this hole to view sensitive order data.
Original plugin page:
https://wordpress.org/plugins/phone-orders-for-woocommerce/
Original advisory:
https://wpscan.com/vulnerability/762a898-c379-45b8-9fee-26dec5cd2b8
How the Vulnerability Happens
Phone Orders for WooCommerce lets store managers or admins quickly create orders on behalf of customers from their dashboard. The problem was, the plugin did not properly check user capabilities before exposing information via some AJAX endpoints.
Here's a simple breakdown
- WordPress plugins usually check the current user's permissions before showing or returning sensitive info.
This plugin failed to check if the current user is allowed to view orders.
- As a result, any logged-in user—including a basic subscriber—could craft a request to the plugin’s AJAX handlers and fetch order details, including customer emails, addresses, product details, and more.
Proof-of-Concept (PoC) Code
Below is a code snippet you can run in your browser’s developer console after logging in as a subscriber:
// Replace with the actual AJAX URL of the WordPress site
let ajaxUrl = '/wp-admin/admin-ajax.php';
fetch(ajaxUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
// 'action' key may vary based on the plugin's code, commonly something like 'wfpo_get_orders'
body: 'action=wfpo_get_orders&limit=10'
}).then(r => r.json())
.then(data => console.log('Order data:', data));
*Note: If you know the actual action name used by the plugin (such as wfpo_get_orders), use that in the request body.
Check HTML source or plugin code to confirm.*
Products purchased
If the plugin was not patched, you'd see raw order data.
*This data is sensitive and should only be visible to shop managers or admins!*
Real-World Impact
If a bad actor created an account on your shop (like a subscriber to your newsletter or a new user), they could *secretly* download all of your customers’ order information. This puts your clients’ privacy at risk, can lead to phishing, identity theft, or business espionage.
Some stores process hundreds of orders a day, including addresses, telephone numbers, product choices, and even more—this kind of leak can be a big hit for store reputation.
How Was It Fixed?
The developer patched the vulnerability in version 3.7.2 and up by properly checking user permissions before returning order data over AJAX.
Changelogs:
https://wordpress.org/plugins/phone-orders-for-woocommerce/#developers
Fixed in:
Version 3.7.2 (Nov 10, 2022 and later)
Always check vendor and plugin changelogs for confirmation and more details.
Remove Unused Accounts
Prune unnecessary and old subscriber/editor accounts.
Review Security Plugins
Use tools like Wordfence or WPScan to scan for vulnerabilities regularly.
Final Thoughts
CVE-2022-41655 is a classic case where a missing authorization check opened the doors to dangerous data leaks. This isn’t unique—many popular WordPress plugins have suffered the same flaw! The key lessons for store owners and developers:
Read more
- WPScan Advisory for CVE-2022-41655
- Plugin changelog
- OWASP: Broken Access Control
Timeline
Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/23/2022 17:45:00 UTC