WordPress Plugin Vulnerabilities

Product Sort and Display for WooCommerce < 2.4.2 - Missing Authorization

Description

The Product Sort and Display for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the psad_update_product_cat_custom_meta_ajax function in all versions up to, and including, 2.4.1. This makes it possible for unauthenticated attackers to hide product categories.

Affects Plugins

Plugin icon
woocommerce-product-sort-and-display
Fixed in 2.4.2

References

CVE
CVE-2024-1807
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c8bd778b-1d56-4544-b2c3-a77a7ec05aa4

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
eb36e611-d5ce-452a-aa43-5743535d7f84

Timeline

Publicly Published
2024-04-01 (about 2 years ago)
Added
2024-04-01 (about 2 years ago)
Last Updated
2024-04-01 (about 2 years ago)

Other

Published
Title
Published
2025-01-08
Title
Bitly's WordPress Plugin < 2.7.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Published
2024-04-25
Title
Barcode Scanner with Inventory & Order Manager < 1.5.4 - Missing Authorization
Published
2024-07-11
Title
Wholesale Suite < 2.2.0 - Missing Authorization
Published
2022-03-28
Title
RSVP and Event Management < 2.7.8 - Unauthenticated Entries Export
Published
2026-03-17
Title
Yoast Duplicate Post < 4.6 - Contributor+ Arbitrary Post Duplication and Overwrite