WordPress Plugin Vulnerabilities

WPify Woo Czech < 4.0.9 - Missing Authorization

Description

The WPify Woo Czech plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the maybe_send_to_packeta function in all versions up to, and including, 4.0.8. This makes it possible for unauthenticated attackers to obtain shipping details for orders as long as the order number is known.

Affects Plugins

Plugin icon
wpify-woo
Fixed in 4.0.9

References

CVE
CVE-2024-1492
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/44f691f2-b3f4-49b7-8710-015b5b11db18

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
e4643394-e9a1-4da1-baec-9a6352fd73a3

Timeline

Publicly Published
2024-02-19 (about 2 years ago)
Added
2024-02-19 (about 2 years ago)
Last Updated
2024-02-19 (about 2 years ago)

Other

Published
Title
Published
2021-04-20
Title
Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Plugin Installation
Published
2022-05-16
Title
WPQA < 5.5 - Unauthenticated Private Message Disclosure
Published
2020-12-17
Title
ListingPro < 2.6.1 - Unauthenticated Arbitrary Plugin Installation/Activation/Deactivation
Published
2021-11-15
Title
User Meta Shortcodes <= 0.5 - Contributor+ Unauthorized Arbitrary User Metadata Access
Published
2024-06-03
Title
WP-DB-Table-Editor <= 1.8.4 - Missing Authorization to Authenticated(Contributor+) Database Access