Thank You Page Customizer for WooCommerce – Increase Your Sales < 1.1.3 – Missing Authorization to Authenticated (Subscriber+) Data Export | CVE 2024-1686 | Plugin Vulnerabilities

Description

The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to missing authorization e in all versions up to, and including, 1.1.2 via the apply_layout function due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve arbitrary order data which may contain PII.

Affects Plugins

woo-thank-you-page-customizer

Fixed in 1.1.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2e7ebc0c-6936-4632-a602-7131c7d8bd6a

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

db1d5194-192c-4319-b9eb-1130b9fca917

Timeline

Publicly Published

2024-02-26 (about 2 years ago)

Added

2024-02-26 (about 2 years ago)

Last Updated

2024-02-26 (about 2 years ago)

Other

Published

Title

Published

2026-01-22

Title

Ryviu – Product Reviews for WooCommerce <= 3.1.26 - Missing Authorization

Published

2024-06-21

Title

Page Builder Sandwich – Front-End Page Builder <= 5.1.0 - Missing Authorization

Published

2026-03-23

Title

Indeed Membership Pro < 13.7.1 - Missing Authorization

Published

2024-08-20

Title

Smart Online Order for Clover < 1.5.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Data Update

Published

2025-02-18

Title

Raptive Ads < 3.7.1 - Missing Authorization to Unauthenticated Data/Settings Reset