Doofinder for WooCommerce < 2.1.1 – Missing Authorization via multiple AJAX actions | CVE 2023-51678 | Plugin Vulnerabilities

Description

The Doofinder for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'doofinder_reset_credentials' and 'doofinder_force_update_on_save' anonymous AJAX functions in versions up to, and including, 2.0.33. This makes it possible for authenticated attackers, with subscriber-level access and above, to reset credentials and modify the update on save settings.

Affects Plugins

doofinder-for-woocommerce

Fixed in 2.1.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ad50e216-f522-4294-a4dc-7f3bd52820b3

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Abdi Pranata

Verified

No

WPVDB ID

9370977a-8b70-42c2-b42d-4379528d683b

Timeline

Publicly Published

2023-12-27 (about 2 years ago)

Added

2024-01-03 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2026-03-12

Title

Formidable Forms < 6.29 - Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse

Published

2025-02-17

Title

Scratch & Win – Giveaways and Contests < 2.9.0 - Missing Authorization to Unauthenticated Coupon Creation

Published

2026-04-16

Title

User Registration Stripe < 1.3.15 - Missing Authorization

Published

2025-07-30

Title

HT Mega < 2.9.1 - Missing Authorization

Published

2023-04-19

Title

miniOrange's Google Authenticator < 5.6.6 - Missing Authorization to Plugin Settings Change