Local Delivery Drivers for WooCommerce < 1.9.1 – Missing Authorization to Driver Account Takeover | CVE 2023-51481 | Plugin Vulnerabilities

Description

The Local Delivery Drivers for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'lddfw_edit_driver_service' function in all versions up to, and including, 1.9.0. This makes it possible for unauthenticated attackers to take over driver accounts.

Affects Plugins

local-delivery-drivers-for-woocommerce

Fixed in 1.9.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/99f4f1dc-13a9-4fa0-bdb1-77a0d416c80f

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

No

WPVDB ID

c0a78256-f745-4d44-b980-6b69f8c73eb2

Timeline

Publicly Published

2023-12-27 (about 2 years ago)

Added

2024-01-05 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2024-03-11

Title

LadiApp <= 4.4 - Missing Authorization via ladiflow_save_hook()

Published

2023-07-25

Title

Ninja Forms < 3.6.26 - Contributor+ Form Entries Export

Published

2026-01-06

Title

Quote Comments <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Update

Published

2026-04-03

Title

Kadence Blocks < 3.6.4 - Contributor+ Media Upload

Published

2026-01-22

Title

Easy Property Listings < 3.5.21 - Missing Authorization