The WooCommerce Order Status Change Notifier WordPress plugin through 1.1.0 does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example
References
Link | Resource |
---|---|
https://wpscan.com/vulnerability/fbc56973-4225-4f44-8c38-d488e57cd551 | Exploit |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: WPScan
Published: 2023-05-15T12:15:35.876Z
Updated: 2023-05-15T12:15:35.876Z
Reserved: 2023-04-19T09:47:37.440Z
Link: CVE-2023-2179
JSON object: View
NVD Information
Status : Modified
Published: 2023-05-15T13:15:10.870
Modified: 2023-11-07T04:12:07.173
Link: CVE-2023-2179
JSON object: View
Redhat Information
No data.
CWE
No CWE.