ReviewX – Multi-criteria Rating & Reviews for WooCommerce < 1.6.28 – Missing Authorization | CVE 2024-3609 | Plugin Vulnerabilities

Description

The ReviewX – Multi-criteria Rating & Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the reviewx_remove_guest_image function in all versions up to, and including, 1.6.27. This makes it possible for authenticated attackers, with subscriber access and above, to delete attachments.

Affects Plugins

Fixed in 1.6.28

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f8152adf-1ca9-4a19-b539-39e257ab94c8

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

48f9a86b-ec4b-435c-b6b2-b7321ebe234d

Timeline

Publicly Published

2024-05-16 (about 2 years ago)

Added

2024-05-16 (about 2 years ago)

Last Updated

2024-05-16 (about 2 years ago)

Other

Published

Title

Published

2022-05-03

Title

Content Mask < 1.8.4.1 - Subscriber+ Arbitrary Options Update

Published

2024-03-12

Title

Tutor LMS – eLearning and online course solution < 2.6.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion

Published

2025-12-31

Title

Walker for Elementor <= 1.1.6 - Missing Authorization

Published

2024-08-12

Title

Backup and Restore WordPress <= 1.50 - Missing Authorization

Published

2025-05-19

Title

Shortlinks by Pretty Links < 3.6.16 - Missing Authorization