WordPress Plugin Vulnerabilities

MultiParcels Shipping For WooCommerce < 1.14.14 - Subscriber+ Arbitrary Shipment Deletion

Description

The plugin does not have authorisation when deleting shipment, allowing any authenticated users, such as subscriber to delete arbitrary shipment

Proof of Concept

Login as a subscriber an open https://example.com/wp-admin/admin-post.php?action=multiparcels_delete_shipping&id=1 to delete the shipment with ID 1

Affects Plugins

Plugin icon
multiparcels-shipping-for-woocommerce
Fixed in 1.14.14

References

CVE
CVE-2023-3365

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
21ce5baa-8085-4053-8d8b-f7d3e2ae70c1

Timeline

Publicly Published
2023-07-17 (about 10 months ago)
Added
2023-07-17 (about 10 months ago)
Last Updated
2023-07-17 (about 10 months ago)

Other

Published
Title
Published
2024-03-25
Title
Smart Forms < 2.6.94 - Subscriber+ Edit Entries via Broken Access Control
Published
2022-06-02
Title
HTML2WP <= 1.0.0 - Subscriber+ Arbitrary File Deletion
Published
2023-11-09
Title
Animator < 3.0.11 - Missing Authorization to Plugin Settings Update
Published
2023-11-21
Title
Preloader for Website < 1.3 - Missing Authorization via plwao_register_settings()
Published
2024-01-02
Title
WooCommerce PDF Invoices < 4.3.1 - Subscriber+ Arbitrary Order Export