Cyber Resilience

CVE-2025-15484

Critical

Published: 01 April 2026

Published
01 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0024 14.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-15484 is a critical-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2025-15484 is a critical vulnerability in the Order Notification for WooCommerce WordPress plugin, affecting versions prior to 3.6.3. The flaw occurs because the plugin overrides WooCommerce's permission checks, granting full access to all unauthenticated requests. This results in complete read/write access to store resources, such as products, coupons, and customers, stemming from CWE-287 (Improper Authentication). The issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Exploitation grants complete control over sensitive store data, enabling attackers to read confidential information like customer details and arbitrarily modify resources such as products and coupons.

Mitigation requires updating the Order Notification for WooCommerce plugin to version 3.6.3 or later. Further details on the vulnerability and remediation are provided in the WPScan advisory at https://wpscan.com/vulnerability/ee9f1c0c-86bb-4922-9eb5-8aae78003eff/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Order Notification for WooCommerce WordPress plugin before 3.6.3 overrides WooCommerce's permission checks to grant full access to all unauthenticated requests, enabling complete read/write access to store resources like products, coupons, and customers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated remote exploitation of public-facing WordPress/WooCommerce plugin via auth bypass (CWE-287) enabling full data access and modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287
CVE-2018-25236Shared CWE-287
CVE-2024-53704Shared CWE-287
CVE-2024-57049Shared CWE-287
CVE-2025-12374Shared CWE-287
CVE-2026-0589Shared CWE-287

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations for access to system resources, directly countering the plugin's override of permission checks that granted unauthenticated full read/write access to store data.

prevent

SC-14 mandates protections for system resources accessible to public users, preventing unauthorized unauthenticated access to sensitive store resources like products, coupons, and customers.

prevent

SI-2 ensures identification, reporting, and correction of system flaws such as this plugin vulnerability, enabling patching to version 3.6.3 to restore proper permission checks.

References