Security Alert Summary
The Order Splitter for WooCommerce plugin for WordPress contains a missing capability check on the wos_troubleshooting AJAX endpoint. In affected versions up to and including 5.3.5, authenticated users with Subscriber-level access and above may be able to view information related to other users’ orders.
CVE Details
- CVE ID: CVE-2025-12075
- Affected plugin / component: The Order Splitter for WooCommerce plugin for WordPress
- Affected versions: All versions up to and including 5.3.5
- Published: February 18, 2026, 5:16:17 AM
- Last modified: February 18, 2026, 5:16:17 AM
- CVSS v3.1: Base Score 4.3, Severity MEDIUM
- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: LOW (authenticated user, see note below)
- User Interaction: NONE
- Scope: UNCHANGED
- Impact: Confidentiality: LOW; Integrity: NONE; Availability: NONE
- Authentication / Privileges: The issue requires an authenticated user. The CVE description specifies that attackers with Subscriber-level access and above can exploit the issue.
- CWE / Weakness ID: CWE-862
Technical Details
The vulnerability is caused by a missing capability check on the plugin’s AJAX endpoint named wos_troubleshooting. Because the endpoint does not properly verify the requesting user’s capabilities, authenticated users with low privileges (Subscriber-level and above) can access data returned by that endpoint that pertains to other users’ orders.
The lack of a permission or capability check is the primary failure here: the endpoint responds to authenticated requests without confirming that the requester is authorized to view the target order data. The CVE description indicates this behavior for all versions up to and including 5.3.5.
Impact is limited to exposure of information accessible via that endpoint. There is no indication in the CVE entry of additional code execution, integrity modification, or availability impacts beyond read access to order-related data.
How This Could Impact Your Website
In a typical small-to-medium WordPress shop, the site owner may grant Subscriber access to customers, while internal staff and external contractors have higher roles for order management. If an account with Subscriber-level access is able to call the wos_troubleshooting endpoint and retrieve information about other users’ orders, it could expose order details such as products ordered, order metadata, or email addresses associated with orders.
Practical consequences include exposure of internal user email addresses and order information, which can increase the risk of targeted phishing or social engineering against customers or staff. For example, a contractor or contributor with access to multiple accounts could unintentionally or intentionally access other customers’ order details and use that information for social engineering.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry lists affected versions up to and including 5.3.5.)
- Review and reduce unnecessary user roles, especially Contributor and Subscriber accounts that do not require access beyond basic site usage.
- Enforce strong passwords and two-factor authentication for Editors and Administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual access patterns or attempts to call administrative or troubleshooting endpoints.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.