WordPress Plugin Vulnerabilities

Sunshine Photo Cart < 3.0 - Insecure Direct Object Reference to Order Manipulation

Description

The Sunshine Photo Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.9.25 due to missing validation on a user-controlled key. This can allow unauthenticated attackers to manipulate orders that do not belong to them.

Affects Plugins

Plugin icon
sunshine-photo-cart
Fixed in 3.0

References

CVE
CVE-2023-41796
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2eae7c33-2347-4b34-8b5f-7f4a6ee3e9c1

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (Medium)

Miscellaneous

Original Researcher
yuyudhn
Verified
No
WPVDB ID
faa80298-f278-4705-802d-28f282358361

Timeline

Publicly Published
2023-09-05 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2023-12-04 (about 2 years ago)

Other

Published
Title
Published
2023-04-10
Title
Ruby Help Desk < 1.3.4 - Subscriber+ Ticket Update via IDOR
Published
2026-04-16
Title
Fluent Forms < 6.2.0 - Unauthenticated Payment Status Modification via IDOR
Published
2020-10-15
Title
Realia <= 1.4 - Unauthenticated IDOR leading to Arbitrary Post Deletion
Published
2021-05-16
Title
Listeo < 1.6.11 - Multiple Authenticated IDOR Vulnerabilities
Published
2024-12-11
Title
Greenshift – animation and page builder blocks < 9.9.9.4 - Authenticated (Contributor+) Post Disclosure