CVE-2025-15033

WooCommerce - Subscriber/Customer+ Order Data Disclosure

A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier.

We have discovered 855,704 live websites that are affected by CVE-2025-15033.

Run a Free Instant Scan



Affected Software

Product  WooCommerce
Category Ecommerce
Vulnerable Domains855,704 live websites (66% of WooCommerce install base)
Vulnerable Versions
  • from 8.1 through 8.1.3
  • from 8.2 through 8.2.4
  • from 8.3 through 8.3.3
  • from 8.4 through 8.4.2
  • from 8.5 through 8.5.4
  • from 8.6 through 8.6.3
  • from 8.7 through 8.7.2
  • from 8.8 through 8.8.6
  • from 8.9 through 8.9.4
  • from 9 through 9.0.3
  • from 9.1 through 9.1.5
  • from 9.2 through 9.2.4
  • from 9.3 through 9.3.5
  • from 9.4 through 9.4.4
  • from 9.5 through 9.5.3
  • from 9.6 through 9.6.3
  • from 9.7 through 9.7.2
  • from 9.8 through 9.8.6
  • from 9.9 through 9.9.6
  • from 10 through 10.0.5
  • from 10.1 through 10.1.3
  • from 10.2 through 10.2.3
  • from 10.3 through 10.3.7
  • from 10.4 through 10.4.3
Vulnerable Versions Count91 versions ( 20% of all versions)


Common Weakness Enumeration

CWE-639 Authorization Bypass Through User-Controlled Key



Details

  • Published - Dec 22, 2025
  • Updated - Dec 22, 2025

Credits

  • Peter Stöckli (finder)
  • WPScan (coordinator)

Website Distribution by Country

Number of websites using CVE-2025-15033
United States256,162 websites


Germany65,893 websites
GB47,211 websites
France42,115 websites
Netherlands33,217 websites
Italy31,813 websites
Spain26,150 websites
Iran20,375 websites
Cyprus20,253 websites
Canada17,339 websites

Website Distribution by TLD

Number of websites using CVE-2025-15033
.com396,147 websites
.co.uk30,058 websites
.nl29,739 websites
.de27,820 websites
.org26,760 websites
.it22,580 websites
.fr16,944 websites
.com.au16,162 websites
.com.br15,385 websites
.net15,376 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2025-15033

Top websites that are affected by CVE-2025-15033. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
*****.com United States***
**.*******.com China***
*******.com China*,***
****.net United States*,***
***********.com Germany*,***
******************.com United States*,***
*********.com United States*,***
**.*******.com China*,***
******.com France*,***
********.org United States*,***
See full domain list

FAQ

CVE-2025-15033 is Authorization Bypass Through User-Controlled Key in WooCommerce
A total of 855,704 websites have been identified as vulnerable to CVE-2025-15033, based on global website indexing conducted by WebTechSurvey.
The WooCommerce is affected by the CVE-2025-15033 vulnerability.
WooCommerce versions up to 10.4.3 are vulnerable to CVE-2025-15033.
CVE-2025-15033 is resolved in version 10.4.3 of WooCommerce.