Customer Reviews for WooCommerce < 5.39.0 – Improper Authorization via submit_review | CVE 2024-1044 | Plugin Vulnerabilities

Description

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_review' function in all versions up to, and including, 5.38.12. This makes it possible for unauthenticated attackers to submit reviews with arbitrary email addresses regardless of whether reviews are globally enabled.

Affects Plugins

customer-reviews-woocommerce

Fixed in 5.39.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4420c334-1ea4-4549-b391-150702abc2f8

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

5fbab4a6-199f-49ff-91e7-6e33566e3565

Timeline

Publicly Published

2024-02-06 (about 2 years ago)

Added

2024-02-09 (about 2 years ago)

Last Updated

2024-02-09 (about 2 years ago)

Other

Published

Title

Published

2024-02-26

Title

Restrict User Access – Ultimate Membership & Content Protection < 2.6 - Information Exposure

Published

2023-07-17

Title

Qubely < 1.8.6 - Unauthenticated Arbitrary E-mail Sending

Published

2020-08-03

Title

Product Input Fields for WooCommerce < 1.2.7 - Unauthenticated File Download

Published

2021-08-30

Title

Premium Addons for Elementor < 4.5.2 - Subscriber+ Arbitrary Blog Option Update

Published

2021-10-05

Title

JobSearch WP Job Board < 1.8.2 - Subscriber+ Add/Update Schedule Calls