Description

WordPress Plugin WooCommerce is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently leak analytics reports. WordPress Plugin WooCommerce version 5.6.0 is vulnerable; prior versions may also be affected.

Remediation

Update to plugin versions 4.0.3,4.1.3,4.2.4,4.3.5,4.4.3,4.5.4,4.6.4,4.7.3,4.8.2,4.9.4,5.0.2,5.1.2,5.2.4,5.3.2,5.4.3,5.5.3,5.6.1,5.7.0 or latest

References

https://developer.woocommerce.com/2021/09/22/important-security-patch-released-in-woocommerce/

https://wptavern.com/woocommerce-5-7-0-patches-security-issue-that-could-potentially-leak-analytics-reports

Related Vulnerabilities

SharePoint Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-0950)

WordPress Plugin WordPress Download Manager Arbitrary File Upload (2.8.97)

Drupal Core 4.7.x Arbitrary Code Execution (4.7.0 - 4.7.5)

Squid Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') Vulnerability (CVE-2020-15811)

WordPress Plugin Twitter Button by BestWebSoft Cross-Site Scripting (2.54)

Severity

High

Classification

CWE-284 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Authentication Bypass