Shopware: Unauthenticated data extraction possible through store-api.order endpoint

Summary An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. Details Data Exposure Depending on the order payload configuration, attackers may retrieve: -...

CVE-2025-15033 WooCommerce - Subscriber/Customer+ Order Data Disclosure

A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it...

CVE-2025-15033

CVE-2025-15033 affects WooCommerce core 8.1–10.4.2 under a specific site configuration, allowing logged-in customers to view guest order data. The issue is mitigated by patches in 10.4.3 and backported to 8.1.3; sites on 8.0 or earlier are not affected. If applicable, upgrade to 10.4.3 or 8.1.3+ ...