WordPress Plugin Vulnerabilities

Razorpay for WooCommerce < 4.5.7 - Subscriber+ Transfers Manipulation

Description

The plugin does not have authorisation checks when updating, creating and reversing transfers, which could allow any authenticated users, such as subscriber to perform such actions

Affects Plugins

Plugin icon
woo-razorpay
Fixed in 4.5.7

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f59cf3d6-06a0-42ec-a604-5f59c6b2be40

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Verified
No
WPVDB ID
dc766425-e71e-4305-9839-a0fbc113593b

Timeline

Publicly Published
2023-11-28 (about 2 years ago)
Added
2024-01-29 (about 2 years ago)
Last Updated
2024-01-29 (about 2 years ago)

Other

Published
Title
Published
2024-06-06
Title
GDPR CCPA Compliance & Cookie Consent Banner < 2.7.1 - Missing Authorization to Settings Update and Stored Cross-Site Scripting
Published
2025-06-05
Title
Activity Plus Reloaded for BuddyPress <= 1.1.2 - Missing Authorization
Published
2023-12-27
Title
FunnelKit Checkout < 3.11.0 - Subscriber+ Arbitrary Plugin Activation
Published
2023-05-05
Title
WP Job Portal < 2.0.2 - Unauthenticated Settings Update
Published
2025-01-15
Title
Multi Step Form < 1.7.24 - Missing Authorization to Unauthenticated Limited File Upload