WordPress Plugin Vulnerabilities

WooCommerce < 4.7.0 - Arbitrary Order Status Disclosure via IDOR

Description

"The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action."

Proof of Concept

Affects Plugins

Plugin icon
woocommerce
Fixed in 4.7.0

References

CVE
CVE-2020-29156
URL
https://github.com/Ko-kn3t/CVE-2020-29156

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Ko-kn3t
Verified
No
WPVDB ID
c420f079-5803-47ec-9844-28b0785c35f0

Timeline

Publicly Published
2020-12-28 (about 5 years ago)
Added
2021-02-22 (about 4 years ago)
Last Updated
2021-02-23 (about 4 years ago)

Other

Published
Title
Published
2024-10-25
Title
School Management System – WPSchoolPress < 2.2.11 - Insecure Direct Object Reference to Authenticated (Teacher+) Account Takeover/Privilege Escalation
Published
2024-12-02
Title
Charity Addon for Elementor <= 1.3.3 - Authenticated (Contributor+) Post Disclosure
Published
2025-11-18
Title
YITH WooCommerce Wishlist < 4.10.1 - Unauthenticated Wishlist Rename via IDOR
Published
2024-05-15
Title
Tutor LMS – eLearning and online course solution < 2.7.1 - Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Course Deletion
Published
2025-11-20
Title
ELEX WordPress HelpDesk & Customer Ticketing System < 3.3.0 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'eh_crm_ticket_single_view_client'