CVE-2025-15484

Critical

Published: 01 April 2026

Published

01 April 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0004 13.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-15484 is a critical-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 requires enforcement of approved authorizations for access to system resources, directly countering the plugin's override of permission checks that granted unauthenticated full read/write access to store data.

SC-14 Public Access Protections good match

prevent

SC-14 mandates protections for system resources accessible to public users, preventing unauthorized unauthenticated access to sensitive store resources like products, coupons, and customers.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures identification, reporting, and correction of system flaws such as this plugin vulnerability, enabling patching to version 3.6.3 to restore proper permission checks.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct unauthenticated remote exploitation of public-facing WordPress/WooCommerce plugin via auth bypass (CWE-287) enabling full data access and modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Order Notification for WooCommerce WordPress plugin before 3.6.3 overrides WooCommerce's permission checks to grant full access to all unauthenticated requests, enabling complete read/write access to store resources like products, coupons, and customers.

Deeper analysisAI

CVE-2025-15484 is a critical vulnerability in the Order Notification for WooCommerce WordPress plugin, affecting versions prior to 3.6.3. The flaw occurs because the plugin overrides WooCommerce's permission checks, granting full access to all unauthenticated requests. This results in complete read/write access to store resources, such as products, coupons, and customers, stemming from CWE-287 (Improper Authentication). The issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Exploitation grants complete control over sensitive store data, enabling attackers to read confidential information like customer details and arbitrarily modify resources such as products and coupons.

Mitigation requires updating the Order Notification for WooCommerce plugin to version 3.6.3 or later. Further details on the vulnerability and remediation are provided in the WPScan advisory at https://wpscan.com/vulnerability/ee9f1c0c-86bb-4922-9eb5-8aae78003eff/.

Details

CWE(s): CWE-287

CVEs Like This One

CVE-2026-5570Shared CWE-287

CVE-2025-52395Shared CWE-287

CVE-2026-41571Shared CWE-287

CVE-2026-2174Shared CWE-287

CVE-2025-71279Shared CWE-287

CVE-2024-13804Shared CWE-287

CVE-2026-39322Shared CWE-287

CVE-2026-34873Shared CWE-287

CVE-2026-20129Shared CWE-287

CVE-2026-30967Shared CWE-287

References

https://wpscan.com/vulnerability/ee9f1c0c-86bb-4922-9eb5-8aae78003eff/
contact@wpscan.com