Vulnerability DatabaseWS-2021-0130
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
WS-2021-0130
Published:May 14, 2026
Updated:May 14, 2026
Klaviyo Magento 2 before 3.0.0 allows reading private customer data from stores. It works by reclaiming any guest-cart as your own and reading the private data for the orders in the Magento API.
Affected Packages
klaviyo/magento2-extension (PHP):
Affected version(s) =dev-202103_oauth_rebased <dev-202012_oauth_support
Fix Suggestion:
Update to version dev-202012_oauth_support
klaviyo/magento2-extension (PHP):
Affected version(s) =dev-202104_product-delete-webhook-store-ids <dev-202104_product-save-webhook
Fix Suggestion:
Update to version dev-202104_product-save-webhook
klaviyo/magento2-extension (PHP):
Affected version(s) =dev-201907_requirejs <dev-202107_rtrim_custom_media_url
Fix Suggestion:
Update to version dev-202107_rtrim_custom_media_url
klaviyo/magento2-extension (PHP):
Affected version(s) =dev-202011_product_delete_webhook_api <dev-202111_product_save_webhook
Fix Suggestion:
Update to version dev-202111_product_save_webhook
klaviyo/magento2-extension (PHP):
Affected version(s) >=dev-201905_bis_api <dev-202201_cart_rebuild
Fix Suggestion:
Update to version dev-202201_cart_rebuild
klaviyo/magento2-extension (PHP):
Affected version(s) =dev-202101_version_2_0_0 <dev-m2_v3_upgrade
Fix Suggestion:
Update to version dev-m2_v3_upgrade
klaviyo/magento2-extension (PHP):
Affected version(s) =dev-201904_magento_2_api_and_bundle_images <dev-202106_require_m2_version_2_3_4
Fix Suggestion:
Update to version dev-202106_require_m2_version_2_3_4
klaviyo/magento2-extension (PHP):
Affected version(s) =dev-201907_media_schema_email <dev-202108_newsletter_fix
Fix Suggestion:
Update to version dev-202108_newsletter_fix
klaviyo/magento2-extension (PHP):
Affected version(s) >=1.0.0 <dev-202110_m2_email_consent_loggedin_users
Fix Suggestion:
Update to version dev-202110_m2_email_consent_loggedin_users
klaviyo/magento2-extension (PHP):
Affected version(s) =dev-201904_add <dev-202207_add_pr_template
Fix Suggestion:
Update to version dev-202207_add_pr_template
klaviyo/magento2-extension (PHP):
Affected version(s) =dev-202103_sms_c@c <dev-202112_spell_fixes
Fix Suggestion:
Update to version dev-202112_spell_fixes
Related Resources (1)
https://github.com/klaviyo/magento2-klaviyo/commit/016114c870a39f8d2e18bab9be6a04a040e857c7
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE