Booster for WooCommerce < 7.1.1 – Subscriber+ Sensitive Information Disclosure | CVE 2023-4796 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Information Disclosure via the 'wcj_wp_option' shortcode in versions up to, and including, 7.1.0 due to insufficient controls on the information retrievable via the shortcode. This makes it possible for authenticated attackers, with subscriber-level capabilities or above, to retrieve arbitrary sensitive site options.

Affects Plugins

woocommerce-jetpack

Fixed in 7.1.1

References

CVE

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Verified

No

WPVDB ID

ca1e57d1-f320-4122-a716-9f4371d58897

Timeline

Publicly Published

2023-09-13 (about 2 years ago)

Added

2023-09-14 (about 2 years ago)

Last Updated

2023-09-14 (about 2 years ago)

Other

Published

Title

Published

2024-08-12

Title

Bit Form Pro < 2.8.0 - Authenticated (Subscriber+) Sensitive Information Exposure

Published

2023-11-28

Title

BigCommerce <= 5.1.2 - Unauthenticated Sensitive Information Exposure

Published

2026-03-26

Title

Nexter Blocks < 4.7.1 - Unauthenticated Information Exposure

Published

2023-03-16

Title

WP Tiles <= 1.1.2 - Subscriber+ Draft/Private Post Title Disclosure

Published

2022-01-28

Title

Perfect Brands for WooCommerce < 2.0.5 - Subscriber+ Sensitive Information Disclosure