WordPress Plugin Vulnerabilities

WooCommerce < 6.3.1 - Orders Marked as Paid (via PayPal Standard Gateway)

Description

The PayPal Standard payment gateway (deprecated since July 2021) of the plugin could allow attackers to mark an order as paid without actually making a payment, when PDT is enabled.

Affects Plugins

Plugin icon
woocommerce
Fixed in 6.3.1

References

URL
https://developer.woocommerce.com/2022/03/10/woocommerce-3-5-10-6-3-1-security-releases/

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
3.7 (low)

Miscellaneous

Verified
Yes
WPVDB ID
bdda03d0-d657-4e12-8996-40152194c607

Timeline

Publicly Published
2022-03-10 (about 2 years ago)
Added
2022-03-10 (about 2 years ago)
Last Updated
2022-04-17 (about 2 years ago)

Other

Published
Title
Published
2022-03-01
Title
Amelia < 1.0.47 - Customer+ Arbitrary Appointments Update and Sensitive Data Disclosure
Published
2021-09-29
Title
Stylish Price List < 6.9.1 - Subscriber+ Arbitrary Image Upload
Published
2024-02-03
Title
WP Hotel Booking < 2.0.9.3 - Improper Authorization on Multiple REST API Routes
Published
2022-07-25
Title
Flipbox < 2.6.1 - Authenticated Arbitrary Options Update
Published
2022-10-17
Title
WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint