Order Notification for WooCommerce (woc-order-alert) plays audio alerts in the browser when new orders come in. It’s useful if you’re running a busy shop and want a heads-up without refreshing your site’s admin dashboard. Before version 3.6.3 there was a serious problem. A permission bypass meant the entire WooCommerce REST API was open to unauthenticated requests. No API keys, no cookies, no login required. It was an absolute howler.
What went wrong
The plugin needed access to order data so it could trigger notifications. To achieve this, it hooked into woocommerce_rest_check_permissions, which is the central permission gate for WooCommerce’s REST API. Every request to every WooCommerce REST endpoint passes through this filter.
Here’s the permission callback from includes/class-hooks.php:
public function woa_check_permissions( $permission, $context, $object_id, $post_type ) {
if ( current_user_can( 'manage_woocommerce' ) ) {
return true;
}
return $permission;
}The intention was to let shop managers through. The problem is that this filter applies globally across all WooCommerce REST controllers. In certain request contexts, particularly with WooCommerce 8.x and its restructured REST architecture, the $permission value can arrive as true before the capability check runs. The filter passes that value straight through for unauthenticated visitors, effectively short-circuiting the entire authentication pipeline.
The result is that anyone on the internet could query your store’s REST API and get back whatever they asked for.
What an attacker could access
The full WooCommerce REST API surface was exposed, which includes…
- Customer data: names, email addresses, physical addresses, phone numbers, order histories
- Order records: amounts, items, shipping details, payment methods
- Products: read, modify prices, change stock levels, or delete entirely
- Coupons: create unlimited discount codes
- Store settings: read configuration details
A simple curl request was all it took:
# Enumerate customers from a WooCommerce store curl -s "https://target.example/wp-json/wc/v3/customers" | jq '.[].email'
For any store handling EU customers, this is a GDPR incident waiting to happen. Customer PII accessible without authentication is a full-fat data exposure event that would require informing the ICO about (in the UK)
How to check if you are affected
If you’re running Order Notification for WooCommerce, check your version:
# Using WP CLI to check the plugin's version wp plugin list --name=woc-order-alert --fields=name,version,status
Any version before 3.6.3 is vulnerable. The fix removed the permission filter entirely, since the plugin does not actually need REST API access for its core functionality. It uses AJAX polling to check for new orders, not the WC REST API. The filter was unnecessary from the start.
What to do
Update to version 3.6.3 or later immediately. If you cannot update straight away, deactivate the plugin until you can.
It is also worth checking your access logs for unusual REST API traffic. Look for unauthenticated requests to /wp-json/wc/v3/ endpoints. If you find any, you may need to assess what data was accessed and whether a breach notification is required under your local data protection regulations.