Introduction
Customer names, locations, and purchase histories from thousands of WooCommerce stores can be accessed by anyone on the internet due to a critical flaw in the Live Sales Notification for WooCommerce plugin. This issue affects over 20000 active WordPress sites and directly exposes sensitive order data to unauthenticated attackers.
About the Involved Software: The Live Sales Notification for WooCommerce plugin is a popular WordPress extension designed to display real-time or simulated sales notifications to site visitors, leveraging social proof to increase conversions. With over 20000 active installations, it is widely adopted by WooCommerce store owners across the globe. WooCommerce itself is the most popular e-commerce platform for WordPress, powering a significant portion of online stores worldwide.
Technical Information
CVE-2025-12955 is a missing authorization vulnerability (CWE-862) in the Live Sales Notification for WooCommerce plugin. In all versions up to and including 2.3.39, the plugin exposes a REST API endpoint that invokes the getOrders function. This function is responsible for retrieving recent order data (including customer first names, city, state, country, purchase time and date, and product details) for use in sales notification popups.
The core issue is that the getOrders function does not perform any authorization or capability checks before returning order data. Any unauthenticated user can send an HTTP request to the exposed endpoint and receive sensitive customer information in response. The attack does not require user interaction or authentication and can be executed over the network. The vulnerability is present regardless of plugin configuration if the recent order notification feature is enabled.
No public sources provide the exact endpoint URL or code snippets for the vulnerable function. There is currently no information about a patch or detection methods for this vulnerability.
Affected Systems and Versions
- Product: Live Sales Notification for WooCommerce (WordPress plugin)
- Affected versions: All versions up to and including 2.3.39
- Vulnerable configuration: Any site with the plugin active and configured to display recent order information
Vendor Security History
The Live Sales Notification for WooCommerce plugin is actively maintained with frequent compatibility and feature updates. However, there is no public evidence of a mature security response process or systematic vulnerability management. Similar missing authorization vulnerabilities have been reported in other WooCommerce-related plugins, indicating a recurring issue in the ecosystem.
