WordPress Plugin Vulnerabilities

Soisy Pagamento Rateale <= 6.0.1 - Missing Authorization to Sensitive Information Exposure

Description

The plugin does not properly validate authorization in calls to the parseRemoteRequest function allowing unauthenticated visitors with knowledge of an existing WooCommerce Order ID to expose sensitive WooCommerce order information (e.g., Name, Address, Email Address, and other order metadata).

Affects Plugins

Plugin icon
soisy-pagamento-rateale
No known fix

References

CVE
CVE-2023-5132
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/soisy-pagamento-rateale/soisy-pagamento-rateale-601-missing-authorization-to-sensitive-information-exposure

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
3d821963-f2bf-4b8d-bc2d-296790f5e1dd

Timeline

Publicly Published
2023-10-20 (about 2 years ago)
Added
2023-10-27 (about 2 years ago)
Last Updated
2023-10-27 (about 2 years ago)

Other

Published
Title
Published
2024-12-11
Title
ListApp Mobile Manager <= 1.7.7 - Missing Authorization to Privilege Escalation
Published
2024-12-11
Title
Zita Site Builder <= 1.0.2 - Missing Authorization to Arbitrary Plugin Installation
Published
2025-03-13
Title
Eco Nature - Environment & Ecology WordPress Theme < 2.1.0 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update
Published
2024-06-20
Title
Woocommerce Customers Order History <= 5.2.2 - Missing Authorization
Published
2023-11-16
Title
FormCraft < 1.2.8 - Missing Authorization via formcraft_nag_update