{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1284", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-13T17:48:05.095Z", "datePublished": "2025-04-24T08:23:48.546Z", "dateUpdated": "2026-04-08T16:59:54.218Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:54.218Z"}, "affected": [{"vendor": "xpertsclub", "product": "Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xc_woo_printer_preview AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's invoices and orders which can contain sensitive information."}], "title": "Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) <= 4.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Order Information Disclosure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6f593dce-4b56-46c0-becd-75fd16f165a8?source=cve"}, {"url": "https://codecanyon.net/item/woocommerce-google-cloud-print/21129093"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2025-04-23T19:39:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-24T13:39:47.884137Z", "id": "CVE-2025-1284", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-24T15:22:43.997Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1284", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-24T13:39:47.884137Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-24T13:48:15.380Z"}}], "cna": {"title": "Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) <= 4.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Order Information Disclosure", "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "xpertsclub", "product": "Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-23T19:39:08.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6f593dce-4b56-46c0-becd-75fd16f165a8?source=cve"}, {"url": "https://codecanyon.net/item/woocommerce-google-cloud-print/21129093"}], "descriptions": [{"lang": "en", "value": "The Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xc_woo_printer_preview AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's invoices and orders which can contain sensitive information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:54.218Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1284", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:59:54.218Z", "dateReserved": "2025-02-13T17:48:05.095Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-24T08:23:48.546Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xc_woo_printer_preview AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's invoices and orders which can contain sensitive information."}, {"lang": "es", "value": "El complemento WooCommerce Automatic Order Printing | (anteriormente WooCommerce Google Cloud Print) para WordPress es vulnerable a una Referencia Directa a Objetos Insegura en todas las versiones hasta la 4.1 incluida, mediante la acci\u00f3n AJAX xc_woo_printer_preview debido a la falta de validaci\u00f3n en una clave controlada por el usuario. Esto permite que atacantes autenticados, con acceso de suscriptor o superior, vean las facturas y pedidos de otros usuarios, que pueden contener informaci\u00f3n confidencial."}], "id": "CVE-2025-1284", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-24T09:15:29.963", "references": [{"source": "security@wordfence.com", "url": "https://codecanyon.net/item/woocommerce-google-cloud-print/21129093"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6f593dce-4b56-46c0-becd-75fd16f165a8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:11:11.568879+00:00", "value": {"mitigation_remediation": ["Update the WooCommerce Automatic Order Printing plugin to version 4.2 or later, where the xc_woo_printer_preview action includes proper access validation.", "If an update is not available, disable the xc_woo_printer_preview AJAX endpoint for all users except administrators.", "Implement role\u2011based access checks so that only the order owner or administrators can retrieve invoice data, aligning with CWE\u2011639 mitigation practices."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is the WooCommerce Automatic Order Printing plugin (formerly WooCommerce Google Cloud Print) for WordPress, distributed by xpertsclub. All released versions up to and including 4.1 are vulnerable, and any site running those versions exposes order data to authenticated users with Subscriber role or higher.", "description_and_impact": "The vulnerability in the WooCommerce Automatic Order Printing plugin is an insecure direct object reference that occurs when the xc_woo_printer_preview AJAX action lacks validation of a user\u2011controlled key. An attacker with Subscriber or higher privileges can exploit this flaw to view other users\u2019 invoices and orders, exposing potentially sensitive information. This weakness is identified as CWE-639, representing unauthorized viewing of resources.", "risk_and_exploitability": "The CVSS score of 4.3 places the flaw in the medium severity range. The EPSS score of less than 1% indicates a very low probability that the vulnerability will be exploited in the near term, and it is not listed in the CISA KEV catalog. The attack likely requires an authenticated WordPress user with Subscriber\u2011level access or higher to trigger the insecure AJAX action, after which the attacker can retrieve invoice details belonging to other users. Deploying a fix or access controls is therefore advisable to prevent accidental disclosure."}}}}, "created": "2026-04-21T21:15:45.450088+00:00", "updated": "2026-04-21T21:15:45.450098+00:00", "vendors": []}