Customer Reviews for WooCommerce < 5.62.0 – Missing Authorization to Authenticated (Subscriber+) Import Cancellation | CVE 2024-10614 | Plugin Vulnerabilities

Description

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the cancel_import() function in all versions up to, and including, 5.61.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel and import or check on the status.

Affects Plugins

customer-reviews-woocommerce

Fixed in 5.62.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e27224aa-56c4-49ab-b9b3-b431b38e126e

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

incognito

Verified

No

WPVDB ID

0f2586e5-7bc3-40c9-99bf-a57ec6e0f3c5

Timeline

Publicly Published

2024-11-15 (about 1 year ago)

Added

2024-11-15 (about 1 year ago)

Last Updated

2024-11-16 (about 1 year ago)

Other

Published

Title

Published

2025-12-31

Title

Criptopayer for Elementor <= 1.0.1 - Missing Authorization

Published

2025-01-14

Title

RomethemeKit For Elementor < 1.5.4 - Missing Authorization in save_options and reset_widgets

Published

2024-03-28

Title

PageLayer < 1.8.2 - Missing Authorization

Published

2024-04-17

Title

WPC Frequently Bought Together for WooCommerce < 7.0.4 - Missing Authorization

Published

2023-12-01

Title

Social Pug < 1.30.1 - Missing Authorization via multiple admin_init actions