WordPress Plugin Vulnerabilities

Customer Reviews for WooCommerce < 5.36.1 - Missing Authorization

Description

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several AJAX actions in versions up to, and including, 5.36.0. This makes it possible for authenticated attackers with subscriber level access to cancel exports and obtain progress reports on exports.

Affects Plugins

Plugin icon
customer-reviews-woocommerce
Fixed in 5.36.1

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c5429fb1-7072-4a00-8fb3-48d4f876417f

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Verified
No
WPVDB ID
3453835f-cb07-48b1-ac3c-8ebf8eed6c4c

Timeline

Publicly Published
2023-10-04 (about 7 months ago)
Added
2023-12-07 (about 5 months ago)
Last Updated
2023-12-07 (about 5 months ago)

Other

Published
Title
Published
2023-11-23
Title
TextMe SMS < 1.9.1 - Subscriber+ Settings Update
Published
2024-04-09
Title
Essential Grid < 3.1.2 - Unauthenticated Private Post Disclosure
Published
2024-04-22
Title
BP Better Messages < 2.4.33 - Missing Authorization
Published
2022-03-14
Title
Amelia < 1.0.49 - Customer+ Arbitrary Appointments Status Update
Published
2024-03-05
Title
Total < 2.1.60 - Missing Authorization to Authenticated (Subscriber+) Sections Update