WordPress Plugin Vulnerabilities

BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages < 3.4.20 - Missing Authorization

Description

The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wc4bp_shop_profile_sync_ajax() function in versions up to, and including, 3.4.19. This makes it possible for authenticated attackers, with subscriber-level access and above, to sync shop profiles.

Affects Plugins

Fixed in 3.4.20

References

Classification

Type
NO AUTHORISATION
CWE

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No

Timeline

Publicly Published
2024-06-06 (about 2 years ago)
Added
2024-06-12 (about 2 years ago)
Last Updated
2024-06-12 (about 2 years ago)

Other