WordPress Plugin Vulnerabilities

WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels < 4.4.3 - Missing Authorization to Unauthenticated Settings Reset

Description

The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wt_pklist_reset_settings() function in all versions up to, and including, 4.4.2. This makes it possible for unauthenticated attackers to reset all of the plugin's settings.

Affects Plugins

Plugin icon
print-invoices-packing-slip-labels-for-woocommerce
Fixed in 4.4.3

References

CVE
CVE-2024-3216
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/aeac9c4a-0754-4fb1-bf11-0cd8483451b6

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Verified
No
WPVDB ID
74af169f-06bc-4877-b8cf-f9dbd9798727

Timeline

Publicly Published
2024-04-05 (about 2 years ago)
Added
2024-04-05 (about 2 years ago)
Last Updated
2024-04-05 (about 2 years ago)

Other

Published
Title
Published
2025-04-01
Title
Pin Generator < 2.0.1 - Missing Authorization
Published
2025-04-01
Title
WP Clone any post type <= 3.6 - Missing Authorization
Published
2025-02-28
Title
Booking Calendar and Notification <= 4.0.3 - Missing Authorization via wpcb_all_bookings, wpcb_update_booking_post, and wpcb_delete_posts Functions
Published
2026-04-07
Title
Users manager – PN < 1.1.20 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action
Published
2023-11-14
Title
Events Addon for Elementor < 2.1.3 - Missing Authorization