MultiParcels Shipping For WooCommerce < 1.14.14 – Subscriber+ Arbitrary Shipment Deletion | CVE 2023-3365

Description

The plugin does not have authorisation when deleting shipment, allowing any authenticated users, such as subscriber to delete arbitrary shipment

Proof of Concept

Login as a subscriber an open https://example.com/wp-admin/admin-post.php?action=multiparcels_delete_shipping&id=1 to delete the shipment with ID 1

Affects Plugins

multiparcels-shipping-for-woocommerce

Fixed in 1.14.14

References

CVE

CVE-2023-3365

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CWE-862

CVSS

4.3 (medium)

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

21ce5baa-8085-4053-8d8b-f7d3e2ae70c1

Timeline

Publicly Published

2023-07-17 (about 2 years ago)

Added

2023-07-17 (about 2 years ago)

Last Updated

2023-07-17 (about 2 years ago)

Other

Published

Title

Published

2025-06-12

Title

Traffic Monitor < 3.2.3 - Missing Authorization to Unauthenticated Settings Update

Published

2023-10-11

Title

AI ChatBot < 4.9.3 - Missing authorization in AJAX calls

Published

2023-11-13

Title

Essential Blocks for Gutenberg < 4.2.1 - Missing Authorization via AJAX actions

Published

2024-12-18

Title

Instantio < 3.3.8 - Missing Authorization to Unauthenticated Settings Update

Published

2024-02-02

Title

Element Pack Elementor Addons < 5.4.12 - Missing Authorization via bdt_duplicate_as_draft