WordPress Plugin Vulnerabilities

WooCommerce Order Status Change Notifier <= 1.1.0 - Subscriber+ Arbitrary Order Status Update

Description

The plugin does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-order-status-change-notifier
No known fix

References

CVE
CVE-2023-2179

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
WPScan
Verified
Yes
WPVDB ID
fbc56973-4225-4f44-8c38-d488e57cd551

Timeline

Publicly Published
2023-04-19 (about 2 years ago)
Added
2023-04-19 (about 2 years ago)
Last Updated
2023-04-19 (about 2 years ago)

Other

Published
Title
Published
2025-11-25
Title
UsersWP < 1.2.48 - Missing Authorization
Published
2024-07-23
Title
Social Auto Poster < 5.3.15 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update via wpw_auto_poster_update_tweet_template
Published
2024-03-21
Title
AI Post Generator < 3.4 - Subscriber+ Posts Read/Creation/Deletion
Published
2024-04-11
Title
Advanced Post Block < 1.13.5 - Unauthenticated Arbitrary Post Access
Published
2025-10-17
Title
Admin Management Xtended <= 2.5.1 - Missing Authorization