WordPress Plugin Vulnerabilities

WooCommerce CVR Payment Gateway < 6.1.0 - Missing Authorization to Authenticated (Contributor+) CVR Update

Description

The WooCommerce CVR Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refresh_order_cvr_data AJAX action. This makes it possible for authenticated attackers with contributor-level access and above, to update CVR numbers for orders.

Affects Plugins

Plugin icon
woocommerce-cvr-payment-gateway
Fixed in 6.1.0

References

CVE
CVE-2023-4948

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lana Codes, Yan&Co ApS
Verified
No
WPVDB ID
4358c07f-11a1-435a-9987-fcb665e2f1a3

Timeline

Publicly Published
2023-09-13 (about 2 years ago)
Added
2023-09-20 (about 2 years ago)
Last Updated
2023-09-20 (about 2 years ago)

Other

Published
Title
Published
2024-07-01
Title
CRM Perks Forms < 1.1.6 - Missing Authorization to Unauthenticated Form Submission
Published
2025-06-05
Title
Viral Loops WP Integration <= 3.8.1 - Missing Authorization
Published
2022-10-03
Title
Bricks Builder < 1.5.4 - Subscriber+ Arbitrary Post/Page Edition
Published
2025-12-04
Title
Xagio SEO <= 7.1.0.29 - Missing Authorization
Published
2026-03-27
Title
Petitioner < 0.7.4 - Missing Authorization