Description

WordPress Plugin WooCommerce Admin is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently leak analytics reports. WordPress Plugin WooCommerce Admin version 2.6.3 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin versions 1.0.4,1.1.4,1.2.5,1.3.3,1.4.1,1.5.1,1.6.4,1.7.4,1.8.4,1.9.1,2.0.4,2.1.6,2.2.7,2.3.2,2.4.5,2.5.2,2.6.4 or latest

References

https://developer.woocommerce.com/2021/09/22/important-security-patch-released-in-woocommerce/

https://wptavern.com/woocommerce-5-7-0-patches-security-issue-that-could-potentially-leak-analytics-reports

Related Vulnerabilities

IBM RTC Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-1507)

WordPress Plugin HDInvoice-Create Invoices Arbitrary File Upload (0.1)

SharePoint Improper Certificate Validation Vulnerability (CVE-2019-1006)

WordPress Plugin WPML Translation Management PHP Object Injection (2.4.1)

PHP Numeric Errors Vulnerability (CVE-2015-4021)

Severity

High

Classification

CWE-284 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass