WordPress Plugin Vulnerabilities

WooCommerce < 5.7.0 & WooCommerce Admin < 2.6.4 - Analytics Report Leaks

Description

The plugin was vulnerable to Analytics Report Leaks on some hosting configurations.

As well as updating WooCommerce to at least version 5.7.0, and WooCommerce Admin to at least version 2.6.4, it is also recommended that directory listing is disabled on your host.

Automattic updates were rolled out to force the vulnerable plugins to be updated and patched.

Affects Plugins

Plugin icon
woocommerce
Fixed in 5.7.0
Plugin icon
woocommerce-admin
Fixed in 2.6.4

References

URL
https://developer.woocommerce.com/2021/09/22/important-security-patch-released-in-woocommerce/

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.3 (medium)

Miscellaneous

Verified
No
WPVDB ID
6f1ecd1e-5363-44df-b9c7-a67dc9398261

Timeline

Publicly Published
2021-09-22 (about 2 years ago)
Added
2021-09-22 (about 2 years ago)
Last Updated
2022-04-10 (about 2 years ago)

Other

Published
Title
Published
2021-04-20
Title
Redirection for Contact Form 7 < 2.3.4 - Unprotected AJAX Actions
Published
2022-05-18
Title
JupiterX < 2.0.7 & JupiterX Core < 2.0.7 - Subscriber+ Arbitrary Plugin Deactivation and Settings Update
Published
2024-03-19
Title
Coming Soon & Maintenance Mode by Colorlib <= 1.0.99 - Information Exposure
Published
2022-01-05
Title
SupportCandy < 2.2.5 - Unauthenticated Arbitrary Ticket Deletion
Published
2021-11-01
Title
Stylish Cost Calculator < 7.0.4 - Subscriber+ Unauthorised AJAX Calls to Stored XSS