MEDIUMCVE-2025-15033CVSS 4.3

CVE-2025-15033: Sensitive Information Exposure in WooCommerce

Platform

wordpress

Component

woocommerce

Fixed in

8.1.3

8.2.4

8.3.3

8.4.2

8.5.4

8.6.3

8.7.2

8.8.6

8.9.4

9.0.3

9.1.5

9.2.4

9.3.5

9.4.4

9.5.3

9.6.3

9.7.2

9.8.6

9.9.6

10.0.5

10.1.3

10.2.3

10.3.7

10.4.3

10.0.5

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2025-15033 represents a Sensitive Information Exposure vulnerability affecting the WooCommerce plugin for WordPress. An authenticated attacker, possessing Subscriber-level access or higher, can exploit this flaw to extract sensitive user or configuration data. This vulnerability impacts WooCommerce versions from 10.0 up to and including 10.4.2. A patch is available in version 10.0.5.

Impact and Attack Scenarios

The primary impact of CVE-2025-15033 is the potential exposure of sensitive data stored within the WooCommerce plugin. Attackers with Subscriber privileges or greater can leverage this vulnerability to access information that could compromise user accounts, payment details, or other critical configuration settings. This could lead to identity theft, financial fraud, or unauthorized access to the WordPress site's backend. The blast radius extends to all users and administrators of the affected WordPress site, as well as any third-party services integrated with WooCommerce. While requiring authentication, the relatively low privilege level needed (Subscriber) makes this vulnerability particularly concerning, as many users have this level of access. The extracted data could be used for further attacks, such as phishing campaigns targeting specific users or attempts to escalate privileges within the WordPress environment.

Exploitation Context

CVE-2025-15033 was published on December 22, 2025. The EPSS score is pending evaluation, but the requirement for authenticated access with Subscriber privileges suggests a medium probability of exploitation. No public Proof-of-Concept (POC) exploits have been publicly disclosed at the time of writing, but the relatively straightforward nature of the vulnerability could lead to the development of such exploits. Monitor security advisories from WordPress and WooCommerce for updates and potential exploitation campaigns.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

NextGuard80% still vulnerable

EPSS

0.03% (7% percentile)

CVSS Vector

Affected Software

Componentwoocommerce

Vendorwordfence

Affected rangeFixed in

8.1.0 – 8.1.38.1.3

8.2.0 – 8.2.48.2.4

8.3.0 – 8.3.38.3.3

8.4.0 – 8.4.28.4.2

8.5.0 – 8.5.48.5.4

8.6.0 – 8.6.38.6.3

8.7.0 – 8.7.28.7.2

8.8.0 – 8.8.68.8.6

8.9.0 – 8.9.48.9.4

9.0.0 – 9.0.39.0.3

9.1.0 – 9.1.59.1.5

9.2.0 – 9.2.49.2.4

9.3.0 – 9.3.59.3.5

9.4.0 – 9.4.49.4.4

9.5.0 – 9.5.39.5.3

9.6.0 – 9.6.39.6.3

9.7.0 – 9.7.29.7.2

9.8.0 – 9.8.69.8.6

9.9.0 – 9.9.69.9.6

10.0.0 – 10.0.510.0.5

10.1.0 – 10.1.310.1.3

10.2.0 – 10.2.310.2.3

10.3.0 – 10.3.710.3.7

10.4.0 – 10.4.310.4.3

10.0 – 10.0.410.0.5

10.1 – 10.1.210.0.5

10.2 – 10.2.210.0.5

10.3 – 10.3.610.0.5

8.1 – 8.1.210.0.5

8.2 – 8.2.310.0.5

8.3 – 8.3.210.0.5

8.4 – 8.4.110.0.5

8.5 – 8.5.310.0.5

8.6 – 8.6.210.0.5

8.7 – 8.7.110.0.5

8.8 – 8.8.510.0.5

8.9 – 8.9.310.0.5

9.0 – 9.0.210.0.5

9.1 – 9.1.410.0.5

9.2 – 9.2.310.0.5

9.3 – 9.3.410.0.5

9.4 – 9.4.310.0.5

9.5 – 9.5.210.0.5

9.6 – 9.6.210.0.5

9.7 – 9.7.110.0.5

9.8 – 9.8.510.0.5

9.9 – 9.9.510.0.5

Weakness Classification (CWE)

CWE-200

Timeline

Reserved2025-12-22
Published2025-12-22
Modified2026-01-15
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2025-15033 is to immediately upgrade the WooCommerce plugin to version 10.0.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. While no direct WAF rules can prevent the underlying vulnerability, implementing strict access controls and limiting user privileges can reduce the attack surface. Regularly review user roles and permissions to ensure only necessary access is granted. Monitor WooCommerce logs for suspicious activity, particularly attempts to access sensitive data. If rollback is necessary after an upgrade, carefully test the previous version in a staging environment before reverting to production. After upgrading to version 10.0.5, confirm the fix by attempting to access sensitive data through the plugin's administrative interface – the access should be denied.

How to fix

Update to one of the following versions, or a newer patched version: 10.0.5, 10.1.3, 10.2.3, 10.3.7, 8.1.3, 8.2.4, 8.3.3, 8.4.2, 8.5.4, 8.6.3, 8.7.2, 8.8.6, 8.9.4, 9.0.3, 9.1.5, 9.2.4, 9.3.5, 9.4.4, 9.5.3, 9.6.3, 9.7.2, 9.8.6, 9.9.6

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-15033 in WooCommerce?

It's a vulnerability in WooCommerce allowing authenticated users (Subscriber level or higher) to extract sensitive data like user details and configuration settings.

Am I affected by CVE-2025-15033 in WooCommerce?

If you're running WooCommerce versions 10.0 through 10.4.2 on your WordPress site, you are potentially affected.

How do I fix CVE-2025-15033 in WooCommerce?

Upgrade your WooCommerce plugin to version 10.0.5 or later to resolve the vulnerability. If immediate upgrade isn't possible, implement stricter access controls.

Is CVE-2025-15033 being actively exploited?

No public exploits have been disclosed, but the vulnerability's nature suggests a potential for exploitation. Monitor security advisories.

Where can I find the official WooCommerce advisory for CVE-2025-15033?

Refer to the official WordPress and WooCommerce security advisories, as well as the National Vulnerability Database (NVD) entry for CVE-2025-15033.

NextGuard

Vulnerabilities

Package Information

Active installs: 7.0MPopular
Plugin rating

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: Low — partial or indirect data access. Attacker gains limited information.
Integrity: None — no integrity impact. Attacker cannot modify data.
Availability: None — no availability impact. Service remains fully operational.

4.5

Requires WordPress

6.8+

Compatible up to

6.9.4

Requires PHP

7.4+