WordPress Plugin Vulnerabilities

WooCommerce EAN Payment Gateway < 6.1.0 - Missing Authorization to Authenticated (Contributor+) EAN Update

Description

The WooCommerce EAN Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refresh_order_ean_data AJAX action in versions up to 6.1.0. This makes it possible for authenticated attackers with contributor-level access and above, to update EAN numbers for orders.

Affects Plugins

Plugin icon
woocommerce-ean-payment-gateway
Fixed in 6.1.0

References

CVE
CVE-2023-4947
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2760b183-3c15-4f0e-b72f-7c0333f9d4b6

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
István Márton, Yan&Co ApS
Verified
No
WPVDB ID
f074b514-d123-40f9-8e7f-5e05701d9b40

Timeline

Publicly Published
2023-09-13 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-12-12 (about 2 years ago)

Other

Published
Title
Published
2025-12-11
Title
Lottier <= 1.1.1 - Missing Authorization
Published
2025-08-11
Title
Project Cost Calculator <= 1.0.0 - Missing Authorization
Published
2026-03-02
Title
BigHearts < 3.1.15 - Missing Authorization
Published
2025-06-12
Title
CubeWP Forms < 1.1.6 - Missing Authorization
Published
2026-01-03
Title
Don Peppe <= 1.3 - Missing Authorization