WordPress Plugin Vulnerabilities

Claudio Sanches – Checkout Cielo for WooCommerce <= 1.1.0 - Insufficient Verification of Data Authenticity to Order Payment Status Update

Description

The Claudio Sanches – Checkout Cielo for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient payment validation in the update_order_status() function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to update the status of orders to paid bypassing payment.

Affects Plugins

Plugin icon
woocommerce-checkout-cielo
No known fix

References

CVE
CVE-2024-1718
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/40cb3214-a11b-4bee-9422-256d12303460

Classification

Type
CONTENT INJECTION
OWASP top 10
A1: Injection
CWE
CWE-345
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
16d0eb7d-5131-4c5d-8e5e-21a6b13daf4b

Timeline

Publicly Published
2024-06-03 (about 2 years ago)
Added
2024-06-03 (about 2 years ago)
Last Updated
2024-06-04 (about 2 years ago)

Other

Published
Title
Published
2026-05-28
Title
Contact Form 7 – PayPal & Stripe Add-on < 2.4.10 - Unauthenticated Payment Bypass via Insufficient Verification of Data Authenticity via PayPal IPN Handler ('invoice'/'mc_gross' Verification)
Published
2024-04-22
Title
Pricing Table by Supsystic < 1.9.13 - Admin+ Content Injection
Published
2023-12-27
Title
Booster Elite for WooCommerce < 7.1.3 - Subscriber+ Content Injection
Published
2026-02-11
Title
WooODT Lite <= 2.5.2 - Unauthenticated Payment Bypass
Published
2024-02-05
Title
CP Polls < 1.0.72 - Unauthenticated Content Injection