WordPress Plugin Vulnerabilities

WooCommerce Conversion Tracking < 2.0.12 - Subscriber+ Addon Installation

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the 'wcct_install_happy_addons' function, allowing any authenticated users, such as subscriber to install the Happy Elementor Addons plugin.

Affects Plugins

Plugin icon
woocommerce-conversion-tracking
Fixed in 2.0.12

References

CVE
CVE-2024-24711
URL
https://patchstack.com/database/vulnerability/woocommerce-conversion-tracking/wordpress-woocommerce-conversion-tracking-plugin-2-0-11-broken-access-control-csrf-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
54f59895-ba72-4430-8a75-777d68e165e0

Timeline

Publicly Published
2024-01-31 (about 2 years ago)
Added
2024-02-02 (about 2 years ago)
Last Updated
2024-02-02 (about 2 years ago)

Other

Published
Title
Published
2025-12-21
Title
Virusdie < 1.1.7 - Missing Authorization
Published
2025-09-03
Title
Frisbii Pay < 1.8.3 - Missing Authorization
Published
2025-04-04
Title
Revive.so – Bulk Rewrite and Republish Blog Posts < 2.0.4 - Missing Authorization
Published
2024-06-14
Title
Popup Builder – Create highly converting, mobile friendly marketing popups < 4.3.2 - Missing Authorization and Nonce Exposure
Published
2025-01-06
Title
Export Import Menus < 1.9.2 - Missing Authorization to Unauthenticated Menu Export