WordPress Plugin Vulnerabilities

TeraWallet - For WooCommerce < 1.4.4 - Subscriber+ Arbitrary Wallet Lock/Unlock via IDOR

Description

The plugin does not ensure that the wallet to lock/unlock belongs to the user making the request, allowing any authenticated users, such as subscriber to lock/unlock arbitrary wallets via an IDOR attack

Affects Plugins

Plugin icon
woo-wallet
Fixed in 1.4.4

References

CVE
CVE-2022-3995

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
ada294dc-569d-4128-b243-c9c3e3d610b4

Timeline

Publicly Published
2022-11-14 (about 3 years ago)
Added
2022-11-15 (about 3 years ago)
Last Updated
2022-11-15 (about 3 years ago)

Other

Published
Title
Published
2025-11-12
Title
Page Builder: Pagelayer – Drag and Drop website builder < 2.0.6 - Authenticated (Author+) Insecure Direct Object Reference
Published
2024-04-22
Title
ProfileGrid – User Profiles, Memberships, Groups and Communities < 5.8.0 - Insecure Direct Object Reference
Published
2025-02-17
Title
ProfileGrid – User Profiles, Groups and Communities < 5.9.4.3 - Insecure Direct Object Reference to Authenticated (Subscriber+) Private Messages Disclosure
Published
2025-03-06
Title
SupportCandy < 3.3.1 - Support Ticket Attachments Download via IDOR
Published
2023-06-23
Title
JS Help Desk - Best Help Desk & Support < 2.7.8 - Subscriber+ Ticket Manipulation via IDOR