WordPress Plugin Vulnerabilities

Thank You Page Customizer for WooCommerce – Increase Your Sales < 1.1.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution

Description

The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to unauthorized execution of shortcodes due to a missing capability check on the get_text_editor_content() function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute arbitrary shortcodes.

Affects Plugins

Plugin icon
woo-thank-you-page-customizer
Fixed in 1.1.3

References

CVE
CVE-2024-1687
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/310afe02-3a51-4633-b359-65ae58d0c032

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
5d967eeb-13c0-44ea-aef8-5432335f47d3

Timeline

Publicly Published
2024-02-26 (about 2 years ago)
Added
2024-02-26 (about 2 years ago)
Last Updated
2024-02-26 (about 2 years ago)

Other

Published
Title
Published
2024-09-03
Title
The Ultimate WordPress Toolkit – WP Extended < 3.0.9 - Authenticated (Subscriber+) Arbitrary Options Update
Published
2023-09-29
Title
WP Custom Admin Interface < 7.33 - Missing Authorization to Transients Deletion
Published
2026-03-10
Title
Addi – Cuotas que se adaptan a ti <= 2.0.4 - Missing Authorization
Published
2025-02-18
Title
Simple Photo Feed < 1.4.1 - Missing Authorization
Published
2025-05-24
Title
Visual Header < 1.5 - Missing Authorization