Customer Email Verification for WooCommerce < 2.9.6 – Authentication Bypass via Shortcode | CVE 2024-13528 | Plugin Vulnerabilities

Description

The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.9.5. This is due to the presence of a shortcode that will generate a confirmation link with a placeholder email. This makes it possible for authenticated attackers, with Contributor-level access and above, to generate a verification link for any unverified user and log into the account. The 'Fine tune placement' option must be enabled in the plugin settings in order to exploit the vulnerability.

Affects Plugins

emails-verification-for-woocommerce

Fixed in 2.9.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0b3798e3-45fe-4829-9012-dc728d4af87f

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

wesley (wcraft)

Verified

No

WPVDB ID

e213e518-498d-4b31-a93d-1e90be9dba5f

Timeline

Publicly Published

2025-02-11 (about 1 year ago)

Added

2025-02-11 (about 1 year ago)

Last Updated

2025-02-12 (about 1 year ago)

Other

Published

Title

Published

2017-05-05

Title

Download Monitor < 1.9.7 - Unauthenticated Downloading of Logs

Published

2021-07-20

Title

NEX Forms < 7.8.8 - Authentication Bypass for Excel Reports

Published

2024-12-05

Title

Login With OTP < 1.5 - Authentication Bypass via Weak OTP

Published

2024-11-08

Title

CE21 Suite < 2.2.1 - Authentication Bypass

Published

2025-07-17

Title

LoginPress Pro < 5.0.2 - Authentication Bypass via WordPress.com OAuth provider