WordPress Plugin Vulnerabilities

Shopping Cart & eCommerce Store < 5.7.9 - Missing Authorization to Order Updates

Description

The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the webhook function in all versions up to, and including, 5.7.8. This makes it possible for unauthenticated attackers to modify order statuses.

Affects Plugins

Plugin icon
wp-easycart
Fixed in 5.7.9

References

CVE
CVE-2024-12712
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/28a3f382-3801-4e98-9004-56c27a85f0a2

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
666b5aac-acb2-4f89-9887-490055bf4f4b

Timeline

Publicly Published
2025-01-07 (about 1 year ago)
Added
2025-01-07 (about 1 year ago)
Last Updated
2025-01-08 (about 1 year ago)

Other

Published
Title
Published
2025-07-24
Title
Frontend File Manager < 22.0 - Missing Authorization to Unauthenticated Arbitrary Post Deletion
Published
2022-08-31
Title
WP Shop Original <= 3.9.6 - Unauthenticated Settings Update
Published
2025-03-31
Title
Vitepos < 3.1.5 - Missing Authorization
Published
2025-11-15
Title
Appointment Booking Calendar < 1.3.96 - Missing Authorization
Published
2023-12-26
Title
Molongui < 4.7.4 - Missing Authorization