Customer Email Verification for WooCommerce < 2.7.5 – Authentication Bypass | CVE 2024-4185 | Plugin Vulnerabilities

Description

The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Email Verification and Authentication Bypass in all versions up to, and including, 2.7.4 via the use of insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification, and if both the "Login the user automatically after the account is verified" and "Verify account for current users" options are checked, then it potentially makes it possible for attackers to bypass authentication for other users.

Affects Plugins

emails-verification-for-woocommerce

Fixed in 2.7.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ebae4b18-5b5f-45c3-86e2-02eefd7abdb7

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

István Márton

Verified

No

WPVDB ID

8edc17ad-fdd6-44a9-a3c6-cfff0164f13a

Timeline

Publicly Published

2024-04-29 (about 2 years ago)

Added

2024-05-03 (about 2 years ago)

Last Updated

2024-05-03 (about 2 years ago)

Other

Published

Title

Published

2024-09-24

Title

LatePoint < 5.0.13 - Authentication Bypass

Published

2023-10-25

Title

Admin and Site Enhancements (ASE) < 5.8.0 - Password Protection Mode Security Feature Bypass

Published

2023-05-17

Title

MStore API < 3.9.1 - Authentication Bypass

Published

2025-08-22

Title

Case Theme User < 1.0.4 - Authentication Bypass via Social Login

Published

2023-11-24

Title

JobSearch WP Job Board < 2.3.4 - Authentication Bypass