WordPress Plugin Vulnerabilities

WooPayments < 6.7.0 - Unauthenticated Order Deletion via IDOR

Description

The plugin does not validate orders ownership which could allow unauthenticated attacker to delete orders by knowing the order ID and cart hash (i.e. they would have to create a cart that matches the items in the order they are trying to delete). Furthermore, only stores running on legacy UPE and split-UPE version are affected by this.

Affects Plugins

Plugin icon
woocommerce-payments
Fixed in 6.7.0

References

CVE
CVE-2023-51503
URL
https://patchstack.com/database/vulnerability/woocommerce-payments/wordpress-woopayments-plugin-6-6-2-unauthenticated-insecure-direct-object-references-idor-vulnerability

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
3.7 (low)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
Yes
WPVDB ID
5fad691c-32d9-46f8-ab69-b4405d2288bf

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-01-05 (about 2 years ago)

Other

Published
Title
Published
2024-04-05
Title
Profile Builder < 3.11.3 - Restricted Email Bypass
Published
2025-06-19
Title
JobSearch < 3.0.6 - Subscriber+ Insecure Direct Object Reference
Published
2026-03-10
Title
Happy Addons for Elementor < 3.21.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Duplication via 'post_id' Parameter
Published
2024-11-21
Title
Easy Twitter Feed – Twitter feeds plugin for WP <= 1.2.6 - Authenticated (Contributor+) Post Exposure
Published
2021-09-22
Title
WP User Manager < 2.6.3 - Arbitrary User Password Reset to Account Compromise