WordPress Plugin Vulnerabilities

WooCommerce POS < 1.4.12 - Insufficient Verification of Data Authenticity to Authenticated (Customer+) Information Disclosure

Description

The WooCommerce POS plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.4.11. This is due to the plugin not properly verifying the authentication and authorization of the current user This makes it possible for authenticated attackers, with customer-level access and above, to view potentially sensitive information about other users by leveraging their order id

Affects Plugins

Plugin icon
woocommerce-pos
Fixed in 1.4.12

References

CVE
CVE-2024-2384
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d6b8ba69-aa8b-436f-990c-39e283f5d2f2

Classification

Type
CONTENT INJECTION
OWASP top 10
A1: Injection
CWE
CWE-345
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
cc042e9b-aaf5-4fab-9e95-ce6e6b01c424

Timeline

Publicly Published
2024-03-19 (about 2 years ago)
Added
2024-03-19 (about 2 years ago)
Last Updated
2024-03-19 (about 2 years ago)

Other

Published
Title
Published
2024-02-05
Title
CP Polls < 1.0.72 - Unauthenticated Content Injection
Published
2022-03-15
Title
NS WooCommerce Watermark <= 2.11.3 - Abuse of Functionality
Published
2023-10-11
Title
Responsive Tabs < 4.0.6 - Authenticated (Contributor+) Content Injection
Published
2026-02-17
Title
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login < 6.0.7.0 - Unauthenticated Payment Bypass via rm_process_paypal_sdk_payment
Published
2021-07-12
Title
Frontend File Manager < 18.3 - Unauthenticated HTML Injection