WordPress Plugin Vulnerabilities

Customer Email Verification for WooCommerce < 2.9.5 - Authenticated (Contributor+) Sensitive Information Exposure

Description

The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via Shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including emails as well as hashed passwords of any user.

Affects Plugins

Plugin icon
emails-verification-for-woocommerce
Fixed in 2.9.5

References

CVE
CVE-2024-13525
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a63a41d1-b9b0-43a9-a6e0-761f3b8d9d4a

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
wesley (wcraft)
Verified
No
WPVDB ID
2ab2574c-d3e7-4523-a73a-f90d43dae9aa

Timeline

Publicly Published
2025-02-14 (about 1 year ago)
Added
2025-02-14 (about 1 year ago)
Last Updated
2025-02-15 (about 1 year ago)

Other

Published
Title
Published
2024-04-22
Title
HT Mega – Absolute Addons For Elementor < 2.4.8 - Missing Authorization to Information Exposure
Published
2024-10-21
Title
All-in-One WP Migration and Backup < 7.87 - Unauthenticated Information Disclosure via Error Logs
Published
2025-12-21
Title
E-Invoice App Malaysia <= 1.3.0 - Unauthenticated Information Exposure
Published
2024-12-17
Title
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction < 2.13.5 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Published
2026-02-24
Title
Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button – Chaty < 3.5.2 - Unauthenticated Information Exposure