Sensitive Information Exposure in WhatsOrder plugin for WooCommerce by WordPress
CVE-2026-9612

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Whatsorder – Instant Checkout For WooCommerce
Vendor: CVE Published:; 24 June 2026

What is CVE-2026-9612?

The WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress exposes sensitive customer information, allowing unauthenticated attackers to access personal data through the yapacdev_generate_order_pdf function. This vulnerability enables the extraction of critical customer details such as full names, email addresses, phone numbers, billing addresses, order contents, and total amounts by simply enumerating order IDs sequentially. The invoices are stored in a publicly accessible directory without proper security measures, making them vulnerable to unauthorized downloads via HTTP without any authentication requirement.

Affected Version(s)

WhatsOrder – Instant Checkout for WooCommerce 0 <= 1.0.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/whatsorder-ins...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 24, 2026
Vulnerability Reserved
May 26, 2026

Credit

Benedictus Jovan

CVE-2026-9612 Data

JSON