WordPress Plugin Vulnerabilities

Location Picker at Checkout for WooCommerce < 1.9.0 - Missing Authorization via checkout_map_rules_order_ajax_handler

Description

The Location Picker at Checkout for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkout_map_rules_order_ajax_handler function in versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify rule orders.

Affects Plugins

Plugin icon
map-location-picker-at-checkout-for-woocommerce
Fixed in 1.9.0

References

CVE
CVE-2024-24719
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7394be7e-9a1f-4c85-ac2d-cace39def330

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dhabaleshwar Das
Verified
No
WPVDB ID
35fef3d0-5969-4d6a-8dec-57ed494dbac7

Timeline

Publicly Published
2024-01-31 (about 2 years ago)
Added
2024-02-05 (about 2 years ago)
Last Updated
2024-02-05 (about 2 years ago)

Other

Published
Title
Published
2024-05-28
Title
Slider Revolution < 6.7.0 - Missing Authorization
Published
2024-11-22
Title
AI Quiz <= 1.1 - Missing Authorization
Published
2025-09-22
Title
CardCom Payment Gateway <= 3.5.0.5 - Missing Authorization
Published
2025-02-03
Title
OnePress <= 2.3.11 - Missing Authorization
Published
2025-03-04
Title
WooMail - WooCommerce Email Customizer <= 3.0.34 - Authenticated (Subscriber+) Missing Authorization to SQL Injection