WholesaleX < 1.3.2 – Sensitive Information Exposure via export_users | CVE 2024-30233 | Plugin Vulnerabilities

Description

The WholesaleX – WooCommerce Wholesale Plugin (Wholesale Prices, Dynamic Pricing, Tiered Pricing) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.1 via the 'export_users'. This makes it possible for authenticated attackers, with access to the admin dashboard (Subscribers, though with WooCommerce installed this would be limited to contributors by default) to extract sensitive data including lists of users.

Affects Plugins

Fixed in 1.3.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/710f663a-c8ff-457b-8b3f-4f6601ba321f

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Emili Castells

Verified

No

WPVDB ID

08bdc440-44a6-4dc4-ae2f-a35960941185

Timeline

Publicly Published

2024-03-26 (about 2 years ago)

Added

2024-03-27 (about 2 years ago)

Last Updated

2024-03-27 (about 2 years ago)

Other

Published

Title

Published

2024-08-08

Title

My Custom CSS PHP & ADS <= 3.3 - Unauthenticated Full Path Disclosure

Published

2024-11-05

Title

Everest Backup < 2.2.14 - Unauthenticated Backup Download

Published

2015-05-15

Title

ThemeMakers Themes - Information Disclosure

Published

2024-07-09

Title

WP2Speed Faster – Optimize PageSpeed Insights Score 90-100 <= 1.0.1 - Unauthenticated Information Exposure

Published

2026-01-16

Title

AWP Classifieds < 4.4.4 - Unauthenticated Information Exposure