WordPress Plugin Vulnerabilities

Order Tracking < 3.3.13 - Missing Authorization via send_test_email()

Description

The Order Tracking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the send_test_email() function in versions up to, and including, 3.3.11. This makes it possible for authenticated attackers, with subscriber-level access and above, to send test emails.

Affects Plugins

Plugin icon
order-tracking
Fixed in 3.3.13

References

CVE
CVE-2024-43343
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7e0e00ec-f7c2-4c1b-802a-acf0892d2083

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Abdi Pranata
Verified
No
WPVDB ID
e951f2c5-f3b7-4870-aac5-61eba06b907a

Timeline

Publicly Published
2024-08-16 (about 1 year ago)
Added
2024-08-19 (about 1 year ago)
Last Updated
2024-08-19 (about 1 year ago)

Other

Published
Title
Published
2025-01-07
Title
Post SMTP < 2.9.12 - Missing Authorization via regenerate_qrcode()
Published
2024-05-15
Title
Tutor LMS Pro < 2.7.1 - Missing Authorization to SQL Injection
Published
2025-04-17
Title
JetElements For Elementor < 2.7.4.2 - Missing Authorization
Published
2023-11-01
Title
Funnelforms Free < 3.4.2 - Missing Authorization to Category Deletion
Published
2025-01-06
Title
WordPress File Upload < 4.25.0 - Missing Authorization to Authenticated (Subscriber+) Limited Path Traversal