A critical authentication bypass in the Order Notification for WooCommerce plugin allows unauthenticated attackers to gain full administrative control over store data.

This vulnerability is a fundamental breakdown of access control where the plugin explicitly overrides WooCommerce's native permission checks. This allows a completely unauthenticated attacker to make requests that grant full read and write access to customers, products, and coupons.

The impact is severe, as attackers can steal sensitive customer PII, modify product pricing, or delete entire store databases. The CVSS score of 9.1 reflects the total loss of confidentiality and integrity for any WooCommerce store using the affected plugin versions.

Immediate Action: Update the Order Notification for WooCommerce plugin to version 3.6.3 or higher immediately.

Proactive Monitoring: Review WooCommerce order history and customer databases for unauthorized changes or bulk data exports performed by unauthenticated IP addresses.

Compensating Controls: If the plugin cannot be updated immediately, deactivate it to prevent unauthorized access to the WooCommerce API and store resources.

Public Exploit Available: false

This vulnerability represents a total failure of the security perimeter for affected e-commerce sites. Immediate updates are mandatory to protect customer data and maintain PCI-DSS compliance.