## PPOM for WooCommerce REST API Exposes Critical Security Flaw: Unauthenticated Access to Product & Order Data
A critical security vulnerability has been identified in the PPOM for WooCommerce plugin, exposing sensitive store data to unauthenticated users. The plugin's entire REST API, comprising seven distinct endpoints, is configured with a blanket `'permission_callback' => '__return_true'`. This configuration effectively bypasses all authentication and authorization checks, allowing anyone with the endpoint URLs to read, create, and delete PPOM field configurations and order metadata without any verification.

The flaw is rooted in the `inc/rest.class.php` file, where every `register_rest_route()` call uses the `__return_true` function as its permission callback. This means no capability checks are performed for any API operation. The exposed endpoints include `/ppom/v1/get/product/`, `/ppom/v1/get/id/`, and `/ppom/v1/get/order/` for data retrieval, alongside `/ppom/v1/set/product/`, `/ppom/v1/delete/product/`, `/ppom/v1/set/order/`, and `/ppom/v1/delete/order/` for data modification and deletion.

This vulnerability poses a direct threat to the integrity and confidentiality of WooCommerce stores using the plugin. An attacker could silently exfiltrate custom product field configurations, manipulate order meta data, or delete critical settings. The proposed fix involves implementing proper WordPress capability checks: requiring `edit_products` for GET endpoints and `manage_woocommerce` for POST and DELETE endpoints. Until patched, any site running the affected plugin version is at risk of unauthorized data access and manipulation.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: WordPress, WooCommerce, API Security, Vulnerability, Data Exposure
- **Credibility**: unverified
- **Published**: 2026-03-31 06:57:06
- **ID**: 42565
- **URL**: https://whisperx.ai/en/intel/42565