Security Alert Summary
The Order Splitter for WooCommerce plugin contains an access control issue in an AJAX endpoint that can allow authenticated users with Subscriber-level access and above to view information related to other users’ orders. The issue is due to a missing capability check on the endpoint and affects versions up to and including 5.3.5.
CVE Details
- CVE ID: CVE-2025-12075
- Affected component: Order Splitter for WooCommerce plugin for WordPress
- Affected versions: All versions up to, and including, 5.3.5
- Published: February 18, 2026 05:16:17 AM UTC
- Last modified: February 18, 2026 05:51:53 PM UTC
- CVSS v3.1: Base Score 4.3 (MEDIUM) —
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N - Attack vector / complexity / scope: Network / Low / Unchanged
- Authentication / privileges / user interaction: Requires authentication. Privileges required: Low (Subscriber-level and above). User interaction: None.
- Primary impact: Confidentiality: Low; Integrity: None; Availability: None
- Weakness: CWE-862 (Authorization bypass through user role or capability checks)
Technical Details
According to the CVE entry, the plugin fails to perform a capability check on the AJAX endpoint named wos_troubleshooting. Because that endpoint lacks the necessary authorization checks, authenticated users with Subscriber-level permissions or higher can invoke it and obtain information pertaining to other users’ orders. The issue exists in all versions up to and including 5.3.5.
The vulnerability is an authorization bypass: the endpoint is reachable by authenticated users but does not verify that the requesting user has rights to view the order data being returned. The description does not specify additional functions, database fields, or response contents beyond letting an authenticated low-privilege user view information about other users’ orders.
How This Could Impact Your Website
In a typical small business WordPress site using WooCommerce and this plugin, multiple user roles interact with the store: a site owner or administrator, internal staff who manage orders, and external contractors or contributors who may have Subscriber or low-level access. If the plugin is present and unpatched, a user with Subscriber-level access or higher could access the wos_troubleshooting endpoint and view order-related information that belongs to other customers or users.
Practical consequences include exposure of order-related data and associated user information to low-privilege accounts, which can increase the risk of targeted phishing or social engineering against customers or staff. The CVSS rating indicates a confidentiality impact at a low level rather than integrity or availability damage, so the issue primarily concerns unauthorized disclosure of information rather than modification or denial of service.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
- Review and reduce unnecessary user roles and capabilities, especially for contributors and subscribers.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce attack surface.
- Monitor site activity and logs for unusual behavior related to AJAX endpoints or order data access.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
