CVE-2023-2179

2023-05-1513:15:10

[email protected]

web.nvd.nist.gov

cve-2023

woocommerce

wordpress plugin

order status change notifier

csrf

ajax

security vulnerability

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.1%

JSON

The WooCommerce Order Status Change Notifier WordPress plugin through 1.1.0 does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example

Affected configurations

Vulners

NVD

Node

woocommercewoocommerce_order_status_change_notifierRange≤1.1.0

VendorProductVersionCPE
woocommercewoocommerce_order_status_change_notifier*cpe:2.3:a:woocommerce:woocommerce_order_status_change_notifier:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
woocommerce	woocommerce_order_status_change_notifier	*	cpe:2.3:a:woocommerce:woocommerce_order_status_change_notifier::::::::

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "WooCommerce Order Status Change Notifier",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThanOrEqual": "1.1.0"
      }
    ],
    "defaultStatus": "affected"
  }
]