WordPress Plugin Vulnerabilities
MultiParcels Shipping For WooCommerce < 1.14.14 - Subscriber+ Arbitrary Shipment Deletion
Description
The plugin does not have authorisation when deleting shipment, allowing any authenticated users, such as subscriber to delete arbitrary shipment
Proof of Concept
Login as a subscriber an open https://example.com/wp-admin/admin-post.php?action=multiparcels_delete_shipping&id=1 to delete the shipment with ID 1
Affects Plugins
Fixed in 1.14.14 References
CVE
Classification
Type
NO AUTHORISATION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-07-17 (about 4 months ago)
Added
2023-07-17 (about 4 months ago)
Last Updated
2023-07-17 (about 4 months ago)
WPScan 