WordPress Plugin Vulnerabilities

WooCommerce Product Vendors < 2.1.69 - Vendor Commission Percentage Update via IDOR

Description

The plugin does not ensure that vendors can not update the commission percentage set by shop admin, as a result, vendors can set their own commission percentage by making a crafted request

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-product-vendors
Fixed in 2.1.69

References

URL
https://hackerone.com/reports/1720614

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
foobar7
Verified
Yes
WPVDB ID
838093be-7d7d-44ed-a3c4-7dba2749f5da

Timeline

Publicly Published
2022-11-24 (about 3 years ago)
Added
2023-04-18 (about 3 years ago)
Last Updated
2023-04-18 (about 3 years ago)

Other

Published
Title
Published
2025-10-16
Title
Binary MLM Plan <= 5.0 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2023-06-27
Title
LearnDash LMS < 4.6.0.1 - User Account Takeover via Insecure Direct Object References
Published
2021-10-11
Title
Squaretype Modern Blog < 3.0.4 - Unauthenticated Private/Schedule Posts Disclosure
Published
2022-08-02
Title
Affiliate For WooCommerce < 4.8.0 - Subscriber+ Paypal Email Update via IDOR
Published
2025-11-20
Title
Return Refund and Exchange For WooCommerce < 4.5.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Order Message Read