WordPress Plugin Vulnerabilities

Advanced Local Pickup for WooCommerce < 1.6.3 - Missing Authorization

Description

The Advanced Local Pickup for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/include/customizer/customizer-admin.php file in versions up to, and including, 1.6.2. This makes it possible for unauthenticated attackers to update plugin settings and send test emails.

Affects Plugins

Plugin icon
advanced-local-pickup-for-woocommerce
Fixed in 1.6.3

References

CVE
CVE-2024-31283
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/22a1920e-2a3f-4996-873d-26e3930e6929

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Majed Refaea
Verified
No
WPVDB ID
f8961898-f18e-40be-95a7-0be23dcabf5d

Timeline

Publicly Published
2024-04-05 (about 2 years ago)
Added
2024-04-10 (about 2 years ago)
Last Updated
2024-04-10 (about 2 years ago)

Other

Published
Title
Published
2024-02-29
Title
Wp Social Login and Register Social Counter < 3.0.1 - Missing Authorization to Unauthenticated Social Login/Share Status Update
Published
2026-01-20
Title
Scalenut <= 1.1.3 - Missing Authorization
Published
2021-12-21
Title
Shortcode Addons < 3.1.0 - Unauthenticated Arbitrary Option Update
Published
2024-07-01
Title
CRM Perks Forms < 1.1.6 - Missing Authorization to Unauthenticated Form Submission
Published
2025-09-22
Title
Oshine Core <= 1.5.5 - Missing Authorization