CVE-2021-4347
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
6.3 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
34.7%
The function update_shipment_status_email_status_fun in the plugin Advanced Shipment Tracking for WooCommerce in versions up to 3.2.6 is vulnerable to authenticated arbitrary options update. The function allows attackers (including those at customer level) to update any WordPress option in the database. Version 3.2.5 was initially released as a fix, but doesn’t fully address the issue.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| zorem | advanced_shipment_tracking_for_woocommerce | * | cpe:2.3:a:zorem:advanced_shipment_tracking_for_woocommerce:*:*:*:*:*:*:*:* |
CNA Affected
[
{
"vendor": "zorem",
"product": "Advanced Shipment Tracking for WooCommerce",
"versions": [
{
"version": "*",
"status": "affected",
"lessThanOrEqual": "3.2.6",
"versionType": "semver"
}
],
"defaultStatus": "unaffected"
}
]Related
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
6.3 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
34.7%