WordPress Plugin Vulnerabilities

TeraWallet – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds < 1.4.11 - Missing Authorization to Authenticated (Subscriber+) User Email Export

Description

The TeraWallet – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the terawallet_export_user_search() function in all versions up to, and including, 1.4.10. This makes it possible for authenticated attackers, with subscriber-level access and above, to export a list of registered users and their emails.

Affects Plugins

Plugin icon
woo-wallet
Fixed in 1.4.11

References

CVE
CVE-2024-1690
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/18e24a2e-cbc6-4285-b846-bea513b6ff69

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
1531d60a-af66-44a7-a775-c462f8ab1e41

Timeline

Publicly Published
2024-03-07 (about 2 years ago)
Added
2024-03-07 (about 2 years ago)
Last Updated
2024-03-07 (about 2 years ago)

Other

Published
Title
Published
2023-06-05
Title
KiviCare Management System < 3.2.1 - Subscriber+ Unauthorised AJAX Calls
Published
2026-01-15
Title
Awesome Support – WordPress HelpDesk & Support Plugin < 6.3.7 - Missing Authorization to Unauthenticated Role Demotion
Published
2025-07-22
Title
Realty Portal – Agent <= 0.3.9 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via rp_user_profile() Function
Published
2026-02-20
Title
Team < 5.0.14 - Missing Authorization
Published
2025-12-31
Title
EasyTest <= 1.0.1 - Missing Authorization