WordPress Plugin Vulnerabilities

WooCommerce Clover Payment Gateway < 1.3.2 - Missing Authorization via callback_handler

Description

The WooCommerce Clover Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callback_handler function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to mark orders as paid.

Affects Plugins

Plugin icon
woo-clover-gateway-by-zaytech
Fixed in 1.3.2

References

CVE
CVE-2024-0626
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/57aacffa-0f49-4a33-ae40-d1c151363284

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
0e4140c6-69d6-43f5-8765-b2a737620885

Timeline

Publicly Published
2024-03-22 (about 2 years ago)
Added
2024-03-22 (about 2 years ago)
Last Updated
2024-03-22 (about 2 years ago)

Other

Published
Title
Published
2021-11-15
Title
Improved Include Page <= 1.2 - Contributor+ Arbitrary Posts/Pages Access
Published
2021-10-19
Title
Download Plugin < 1.6.1 - Subscriber+ Arbitrary Plugin Activation
Published
2024-02-01
Title
ARMember < 4.0.25 - Improper Access Control to Sensitive Information Exposure via REST API
Published
2024-02-28
Title
Download Manager < 3.2.85 - Unauthenticated File Download
Published
2022-08-01
Title
Affiliate For WooCommerce < 4.8.0 - Subscriber+ Unauthorised Actions