CVE Catalog

CVE-2026-9612

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

22th percentile - higher than 22% of all known CVEs

Summary

The WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 1.0.1. Unauthenticated attackers can access sensitive customer data and order details by enumerating sequential order IDs.

Risk Assessment

The exposure of sensitive customer personal information can lead to identity theft and other abuses, posing a serious risk to the organization's reputation and its customers.

Recommendation

It is recommended to update the plugin to the latest version and implement appropriate security measures, such as .htaccess rules, to block access to the invoice directory.

Original NVD description (English source)

The WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the yapacdev_generate_order_pdf. This makes it possible for unauthenticated attackers to extract sensitive customer PII and order details — including full name, email address, phone number, billing address, ordered items with quantities and prices, applied coupons, shipping method, and order total — from any customer's invoice by enumerating sequential order IDs. Invoice HTML files are written to the publicly accessible wp-content/uploads/whatsorder_invoices/ directory, which is created without an .htaccess deny rule or index.php guard, making every invoice directly downloadable over HTTP with no authentication check.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS