WooCommerce Add to Cart Custom Redirect < 1.2.14 – Authenticated(Contributor+) Missing Authorization to Limited Arbitrary Options Update | CVE 2024-1862 | Plugin Vulnerabilities

Description

The WooCommerce Add to Cart Custom Redirect plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'wcr_dismiss_admin_notice' function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with contributor access and above, to update the values of arbitrary site options to 'dismissed'.

Affects Plugins

woocommerce-add-to-cart-custom-redirect

Fixed in 1.2.14

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/36c6a116-37cc-4ade-b601-5f9d6aaf9217

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

62b70fd6-3cd8-407a-a857-d5b30f198da0

Timeline

Publicly Published

2024-03-07 (about 2 years ago)

Added

2024-03-07 (about 2 years ago)

Last Updated

2024-03-07 (about 2 years ago)

Other

Published

Title

Published

2025-09-05

Title

Consultstreet <= 3.0.0 - Missing Authorization

Published

2024-03-14

Title

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login < 5.3.1.0 - Authenticated (Subscriber+) Privilege Escalation

Published

2023-11-01

Title

Funnelforms Free < 3.4.2 - Missing Authorization to Category Deletion

Published

2025-09-27

Title

BuddyPress < 14.4.0 - Missing Authorization

Published

2025-10-08

Title

Rank Math SEO PRO < 3.0.97 - Missing Authorization