One Click Order Re-Order < 1.1.10 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting | CVE 2024-5641 | Plugin Vulnerabilities

Description

The One Click Order Re-Order plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ced_ocor_save_general_setting' function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the plugin settings, including adding stored cross-site scripting.

Affects Plugins

one-click-order-reorder

Fixed in 1.1.10

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/8a297784-96cd-4135-a8f1-e50f3a0d71bd

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

7c8c04d0-87bd-4813-88fc-fe193a86c001

Timeline

Publicly Published

2024-07-03 (about 1 year ago)

Added

2024-07-03 (about 1 year ago)

Last Updated

2024-07-04 (about 1 year ago)

Other

Published

Title

Published

2025-04-01

Title

WordPress Adverts Plugin <= 1.4 - Missing Authorization

Published

2023-11-21

Title

Preloader for Website < 1.3 - Missing Authorization via plwao_register_settings()

Published

2025-07-16

Title

Webba Booking < 5.1.22 - Missing Authorization

Published

2024-06-21

Title

Hercules Core < 6.7 - Missing Authorization to Settings Update

Published

2025-03-31

Title

Swiss Toolkit For WP <= 1.4.3 - Missing Authorization