WordPress Plugin Vulnerabilities

WooCommerce Payments < 4.5.1 - Intent Parameter Tampering

Description

The plugin allows customer to complete an order on a merchant’s site without paying for it.

Affects Plugins

Plugin icon
woocommerce-payments
Fixed in 4.5.1

References

URL
https://developer.woocommerce.com/2022/08/09/woocommerce-payments-3-9-4-4-5-1-security-releases/

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
7.5 (high)

Miscellaneous

Verified
Yes
WPVDB ID
8f72a636-52c0-4a63-b1b2-4af7e6825801

Timeline

Publicly Published
2023-06-22 (about 2 years ago)
Added
2023-06-22 (about 2 years ago)
Last Updated
2026-04-07 (about 9 hours ago)

Other

Published
Title
Published
2026-03-10
Title
ProfilePress < 4.16.12 - Subscriber+ Arbitrary Subscription Cancellation/Expiration
Published
2026-01-09
Title
WooCommerce Square < 5.1.2 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure in get_token_by_id
Published
2025-02-03
Title
JS Help Desk – The Ultimate Help Desk & Support Plugin < 2.8.9 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2026-02-17
Title
Frontend User Notes < 2.1.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Note Modification
Published
2023-06-13
Title
WooCommerce Stripe Payment Gateway < 7.4.1 - Unauthenticated PII Disclosure via IDOR