WordPress Plugin Vulnerabilities

WooCommerce Multilingual & Multicurrency < 5.3.7 - Missing Authorization

Description

The WooCommerce Multilingual & Multicurrency plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on a few functions like save_shipping_zone_method_from_ajax, switch_product_variations_language, and update_woocommerce_shipping_settings_for_class_costs_from_ajax in versions up to, and including, 5.3.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify plugin settings.

Affects Plugins

Plugin icon
woocommerce-multilingual
Fixed in 5.3.7

References

CVE
CVE-2024-44006
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8aef0e9d-fc63-445d-a5fa-08e6cd5f0dbc

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
4a7b0da9-c31a-4ed7-8bcd-d3a9fa0d5e8b

Timeline

Publicly Published
2024-09-16 (about 1 year ago)
Added
2024-09-18 (about 1 year ago)
Last Updated
2024-09-18 (about 1 year ago)

Other

Published
Title
Published
2025-04-09
Title
Woo Product Feed For Marketing Channels <= 1.9.0 - Missing Authorization
Published
2025-07-22
Title
LoginWP - Pro < 4.0.8.6 - Missing Authorization to Unauthenticated Settings Update
Published
2024-08-28
Title
Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free < 3.7.4.1 - Missing Authorization to Unauthenticated Arbitrary Media Deletion
Published
2025-02-23
Title
Small Package Quotes – Unishippers Edition < 2.4.10 - Missing Authorization
Published
2025-02-03
Title
SocialV - Social Network and Community BuddyPress Theme < 2.0.16 - Missing Authorization to Arbitrary File Download