ELEX WooCommerce Dynamic Pricing and Discounts < 2.1.8 – Missing Authorization | CVE 2024-12266 | Plugin Vulnerabilities

Description

The ELEX WooCommerce Dynamic Pricing and Discounts plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the elex_dp_export_rules() and elex_dp_import_rules() functions in all versions up to, and including, 2.1.7. This makes it possible for unauthenticated attackers to import and export product rules along with obtaining phpinfo() data

Affects Plugins

elex-woocommerce-dynamic-pricing-and-discounts

Fixed in 2.1.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/063d452b-2a35-40aa-a002-ea55da778222

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Fariq Fadillah Gusti Insani (fariqfgi)

Verified

No

WPVDB ID

69d6bd6a-2d88-4d8b-b4c3-e855e59ee1de

Timeline

Publicly Published

2024-12-23 (about 1 year ago)

Added

2024-12-23 (about 1 year ago)

Last Updated

2024-12-24 (about 1 year ago)

Other

Published

Title

Published

2024-04-30

Title

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid < 7.7.0 - Missing Authorization

Published

2023-12-18

Title

Essential Real Estate < 4.4.0 - Subscriber+ Denial of Service via Arbitrary Option Update

Published

2025-11-28

Title

Subscriptions & Memberships for PayPal < 1.1.8 - Missing Authorization

Published

2025-08-20

Title

LifePress < 2.2 - Missing Authorization

Published

2024-01-05

Title

Quiz Maker < 6.5.1.2 - Missing Authorization