Export and Import Users and Customers < 2.4.2 – Shop Manager+ Privilege Escalation | CVE 2023-3459 | Plugin Vulnerabilities

Description

The plugin does not correctly implement a capability check on the 'hf_update_customer' function, which is triggered via an AJAX action. This omission allows users with shop manager-level permissions to modify data they should not have access to, such as changing user passwords and potentially gaining control over administrator accounts.

Affects Plugins

users-customers-import-export-for-wp-woocommerce

Fixed in 2.4.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/47337214-9cc3-4b12-bb71-9acbab3649b7

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Verified

No

WPVDB ID

ed675238-e6e1-4db4-b990-a18b78c2532b

Timeline

Publicly Published

2023-07-14 (about 2 years ago)

Added

2023-07-18 (about 2 years ago)

Last Updated

2023-07-18 (about 2 years ago)

Other

Published

Title

Published

2023-11-28

Title

WP Mail Log < 1.1.3 – Incorrect Authorization in REST API Endpoints

Published

2021-09-29

Title

Stylish Price List < 6.9.0 - Unauthenticated Arbitrary Image Upload

Published

2021-10-04

Title

Logo Slider and Showcase < 1.3.37 - Editor Plugin's Settings Update

Published

2025-03-03

Title

Ultimate WordPress Auction Plugin < 4.3.0 - Contributor+ Arbitrary Post Deletion

Published

2022-10-17

Title

WP < 6.0.3 - Data Exposure via REST Terms/Tags Endpoint