2 matches found
GHSA-P6PV-Q7RC-G4H9 Unauthenticated Spree Commerce users can view completed guest orders by Order ID
Unauthenticated users can view completed guest orders by Order ID GHSL-2026-029 The OrdersControllershow action permits viewing completed guest orders by order number alone, without requiring the associated order token. Order lookup without enforcing token requirement in OrdersControllershow: rub...
PT-2025-52678
Name of the Vulnerable Software and Affected Versions WooCommerce versions 8.1 through 10.4.2 Description A flaw exists in WooCommerce that could allow authenticated customers to view order information belonging to guest customers, specifically on sites with a particular setup. Recommendations...