WordPress Plugin Vulnerabilities

Product Expiry for WooCommerce < 2.6 - Subscriber+ Settings Update

Description

The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them

Affects Plugins

Plugin icon
product-expiry-for-woocommerce
Fixed in 2.6

References

CVE
CVE-2024-0201
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c4006612-770a-482f-a8c2-e62f607914a9

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
d3b6c263-e14b-491b-b434-7e14274fa1e9

Timeline

Publicly Published
2024-01-02 (about 2 years ago)
Added
2024-01-03 (about 2 years ago)
Last Updated
2024-01-03 (about 2 years ago)

Other

Published
Title
Published
2025-06-05
Title
Raychat < 2.2.0 - Missing Authorization
Published
2025-04-15
Title
Barcode Generator for WooCommerce < 2.0.5 - Authenticated (Subscriber+) Arbitrary Content Deletion
Published
2024-01-19
Title
WPvivid < 0.9.95 - Missing Authorization
Published
2024-05-29
Title
Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX < 4.1.3 - Missing Authorization to Arbitrary Options Update
Published
2025-04-08
Title
Site Notify <= 1.0 - Missing Authorization