WordPress Plugin Vulnerabilities

Pricing Deals for WooCommerce <= 2.0.3.2 - Missing Authorization via vtprd_ajax_clone_rule

Description

The Pricing Deals for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data| due to a missing capability check on the 'vtprd_ajax_clone_rule' function in versions up to, and including, 2.0.3.2. This makes it possible for unauthenticated attackers to clone rules.

Affects Plugins

Plugin icon
pricing-deals-for-woocommerce
No known fix

References

CVE
CVE-2023-41240
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1101bfe6-2075-4f44-933b-6d9f372100a2

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (Medium)

Miscellaneous

Original Researcher
thiennv
Verified
No
WPVDB ID
716b6da2-1a9c-4b2b-93f9-85e8cb4ca9e5

Timeline

Publicly Published
2023-08-29 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-11-28 (about 2 years ago)

Other

Published
Title
Published
2025-09-22
Title
Smart Blocks < 2.5 - Missing Authorization
Published
2026-01-09
Title
Contest Gallery < 28.1.2 - Missing Authorization
Published
2026-01-30
Title
Fitness FSE <= 1.0.6 - Missing Authorization
Published
2026-03-02
Title
AI ChatBot with ChatGPT and Content Generator by AYS < 2.7.6 - Missing Authorization to Unauthenticated API Key Modification
Published
2025-01-31
Title
Content Cloner < 1.0.2 - Missing Authorization