NP Quote Request for WooCommerce < 1.9.180 – Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure | CVE 2024-13558 | Plugin Vulnerabilities

Description

The NP Quote Request for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.179 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to read the content of quote requests.

Affects Plugins

woo-rfq-for-woocommerce

Fixed in 1.9.180

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5991c86b-6785-41a6-a5df-c65e8a28201c

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Tim Coen

Verified

No

WPVDB ID

53c84ea2-2134-4038-a744-547f8c345c2d

Timeline

Publicly Published

2025-03-19 (about 1 year ago)

Added

2025-03-19 (about 1 year ago)

Last Updated

2025-03-20 (about 1 year ago)

Other

Published

Title

Published

2023-01-17

Title

WP FullCalendar < 1.5 - Unauthenticated Arbitrary Post Access

Published

2025-01-10

Title

Unlimited Theme Addon For Elementor and WooCommerce < 1.2.3 - Authenticated (Contributor+) Post Disclosure

Published

2021-05-17

Title

LifterLMS < 4.21.2 - Access Other Student Grades/Answers via IDOR

Published

2025-03-12

Title

Business Directory Plugin - Easy Listing Directories for WordPress < 6.4.15 - Insecure Direct Object Reference to Listing Arbitrary Image Addition

Published

2024-02-26

Title

User Shortcodes Plus <= 2.0.2 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via user_meta Shortcode