WordPress Plugin Vulnerabilities

EAN for WooCommerce < 4.9.0 - Authenticated (Shop Manager+) Arbitrary Options Update

Description

The EAN for WooCommerce plugin for WordPress is vulnerable to arbitrary options updates n all versions up to, and including, 4.8.9. This is due to insufficient restrictions on option values that can be supplied. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options that can be leveraged for privilege escalation.

Affects Plugins

Plugin icon
ean-for-woocommerce
Fixed in 4.9.0

References

CVE
CVE-2024-34370
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/13be8a88-bcd3-4ce9-9538-e93c78323456

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Majed Refaea
Verified
No
WPVDB ID
0d8bac21-0699-4c92-8868-1de71f5345be

Timeline

Publicly Published
2024-05-03 (about 2 years ago)
Added
2024-05-07 (about 2 years ago)
Last Updated
2024-05-07 (about 2 years ago)

Other

Published
Title
Published
2024-10-29
Title
LiteSpeed Cache < 6.5.2 - Unauthenticated Privilege Escalation
Published
2025-11-26
Title
Tiger <= 101.2.1 - Unauthenticated Privilege Escalation
Published
2025-06-09
Title
MapSVG < 8.6.13 - Contributor+ Privilege Esclation
Published
2025-11-10
Title
EasyCommerce – AI-Powered, Blazing-Fast & Beautiful WordPress Ecommerce Plugin 0.9.0-beta2 - 1.8.2 - Unauthenticated Privilege Escalation
Published
2025-04-30
Title
SureTriggers < 1.0.83 - Unauthenticated Privilege Escalation