WooCommerce Ship to Multiple Addresses < 3.8.6 – Customer+ Shipping Address Update | CVE 2023-37872

Affects Plugins

woocommerce-shipping-multiple-addresses

Fixed in 3.8.6

References

CVE

CVE-2023-37872

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CWE-639

CVSS

6.5 (medium)

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

Yes

WPVDB ID

12b16fd8-f0e3-4a1c-a3ab-6ed03f41526f

Timeline

Publicly Published

2023-07-10 (about 2 years ago)

Added

2023-08-07 (about 2 years ago)

Last Updated

2023-08-07 (about 2 years ago)

Other

Published

Title

Published

2026-03-10

Title

Happy Addons for Elementor < 3.21.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Duplication via 'post_id' Parameter

Published

2024-10-30

Title

Forminator Forms < 1.36.1 - Unauthenticated Arbitrary Quiz Submissions Update

Published

2024-06-28

Title

Paid Memberships Pro < 3.0.5 - Unauthenticated Insecure Direct Object Reference to Order Status Update

Published

2024-04-16

Title

WP-Recall – Registration, Profile, Commerce & More < 16.26.6 - Insecure Direct Object Reference

Published

2025-07-21

Title

WP JobHunt <= 7.2 - Subscriber+ Arbitrary Account Deletion via IDOR