WordPress Plugin Vulnerabilities

WooCommerce GoCardless Gateway < 2.5.7 - Unauthenticated Sensitive Information Disclosure

Description

The plugin does not check user permissions before displaying sensitive information about an Order, leading to sensitive information disclosure as well as the ability for an unauthenticated user to cancel any guest's order.

Affects Plugins

Plugin icon
woocommerce-gateway-gocardless
Fixed in 2.5.7

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
Yes
WPVDB ID
8e9142f1-0e2b-4272-8a6f-27599b0704cb

Timeline

Publicly Published
2023-07-10 (about 2 years ago)
Added
2023-07-24 (about 2 years ago)
Last Updated
2023-07-24 (about 2 years ago)

Other

Published
Title
Published
2024-03-28
Title
Molongui < 4.7.8 - Authenticated (Author+) Insecure Direct Object Reference
Published
2026-01-09
Title
Rosebud <= 1.4 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2026-02-26
Title
WP Recipe Maker < 10.3.3 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Metadata Modification via 'recipeId' Parameter
Published
2020-10-15
Title
Realia <= 1.4 - Unauthenticated IDOR leading to Arbitrary Post Deletion
Published
2025-09-09
Title
WPGYM - Wordpress Gym Management System <= 67.7.0 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover