CVE-2025-12075 Overview
The Order Splitter for WooCommerce plugin for WordPress contains a broken access control vulnerability due to a missing capability check on the wos_troubleshooting AJAX endpoint. This flaw affects all versions up to and including 5.3.5, allowing authenticated attackers with minimal privileges (Subscriber-level and above) to access sensitive order information belonging to other users.
Critical Impact
Authenticated attackers with low-privilege WordPress accounts can exploit this vulnerability to view other users' order data, potentially exposing sensitive customer information including names, addresses, and purchase details.
Affected Products
- Order Splitter for WooCommerce plugin for WordPress versions ≤ 5.3.5
- WordPress installations using the affected plugin versions
- WooCommerce stores with the Order Splitter plugin enabled
Discovery Timeline
- 2026-02-18 - CVE-2025-12075 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-12075
Vulnerability Analysis
This vulnerability stems from a missing authorization check (CWE-862) in the Order Splitter for WooCommerce plugin. The wos_troubleshooting AJAX endpoint fails to verify whether the requesting user has appropriate permissions to access the requested data. As a result, any authenticated user—even those with only Subscriber-level access—can invoke this endpoint and retrieve order information that should be restricted to administrators or the order owner.
In WordPress and WooCommerce environments, order data typically contains sensitive customer information including billing addresses, shipping details, email addresses, phone numbers, and purchase history. The exposure of this data could lead to privacy violations, targeted phishing attacks, or compliance issues under regulations such as GDPR.
Root Cause
The root cause is the absence of a capability check within the wos_troubleshooting AJAX handler. WordPress plugins should validate user capabilities using functions like current_user_can() before processing requests that access sensitive data. Without this authorization gate, the endpoint trusts that any authenticated request is legitimate, regardless of the user's actual role or permissions.
Attack Vector
The attack requires network access and a valid WordPress account with at least Subscriber privileges. An attacker would craft an AJAX request to the wos_troubleshooting endpoint, potentially iterating through order IDs or manipulating request parameters to extract order data belonging to other customers.
The vulnerability can be exploited by sending crafted POST requests to the WordPress AJAX handler (/wp-admin/admin-ajax.php) with the action parameter set to wos_troubleshooting. Since no capability check is performed, the server processes the request and returns order data without verifying authorization.
For technical details on the vulnerability and patch, refer to the WordPress Changeset Update and the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-12075
Indicators of Compromise
- Unusual AJAX requests to admin-ajax.php with action wos_troubleshooting from non-admin users
- Multiple requests to the troubleshooting endpoint from the same user session in rapid succession
- Access logs showing Subscriber or Customer-level users querying the AJAX endpoint
- Anomalous patterns of order data access that don't match normal user behavior
Detection Strategies
- Monitor WordPress AJAX logs for requests to wos_troubleshooting from low-privilege accounts
- Implement web application firewall rules to flag suspicious parameter patterns targeting the vulnerable endpoint
- Review access logs for authenticated users attempting to access order IDs they don't own
- Deploy endpoint detection solutions to identify exploitation attempts in real-time
Monitoring Recommendations
- Enable detailed logging for WordPress AJAX requests and correlate with user role information
- Set up alerts for unusual spikes in requests to the wos_troubleshooting action
- Regularly audit user accounts with Subscriber-level access for suspicious activity
- Implement anomaly detection for order data access patterns
How to Mitigate CVE-2025-12075
Immediate Actions Required
- Update Order Splitter for WooCommerce plugin to a version newer than 5.3.5 immediately
- Review access logs to determine if the vulnerability has been exploited
- Audit any Subscriber-level or Customer-level accounts for suspicious activity
- Consider temporarily disabling the plugin until the patch can be applied
Patch Information
A security patch has been released to address this vulnerability. The fix adds proper capability checks to the wos_troubleshooting AJAX endpoint, ensuring only authorized users can access the functionality. Details of the code changes can be reviewed in the WordPress Changeset Update.
Workarounds
- Temporarily disable the Order Splitter for WooCommerce plugin until patching is possible
- Implement web application firewall rules to block unauthorized AJAX requests to wos_troubleshooting
- Restrict or remove unnecessary Subscriber-level accounts to reduce the attack surface
- Use a WordPress security plugin to add additional access controls around AJAX endpoints
# Example: Block the vulnerable AJAX action in .htaccess (temporary workaround)
# Add to WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} admin-ajax\.php
RewriteCond %{QUERY_STRING} action=wos_troubleshooting [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
