Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveWordfenceCVE-2023-2781
HistoryJun 03, 2023 - 12:15 a.m.

CVE-2023-2781

2023-06-0300:15:09
CWE-306
Wordfence
web.nvd.nist.gov
36
wordpress
plugin
vulnerability
authentication bypass
woocommerce
cve-2023-2781
nvd

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.002

Percentile

54.1%

JSON

The User Email Verification for WooCommerce plugin for WordPress is vulnerable to authentication bypass via authenticate_user_by_email in versions up to, and including, 3.5.0. This is due to a random token generation weakness in the resend_verification_email function. This allows unauthenticated attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Allow Automatic Login After Successful Verification setting to be enabled, which it is not by default.

Affected configurations

Nvd
Vulners
Node
wisetruser_email_verification_for_woocommerceRange3.5.0wordpress
VendorProductVersionCPE
wisetruser_email_verification_for_woocommerce*cpe:2.3:a:wisetr:user_email_verification_for_woocommerce:*:*:*:*:*:wordpress:*:*

CNA Affected

[
  {
    "vendor": "sandeepsoni214",
    "product": "User Email Verification for WooCommerce",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "3.5.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Related

nvd 1
wpvulndb 1
cvelist 1
prion 1
wordfence 2
nvd
nvd
CVE-2023-2781
2023-06-03 00:15:09
wpvulndb
wpvulndb
User Email Verification for WooCommerce <= 3.5.0 - Authentication bypass via weak token generation
2023-06-02 00:00:00
cvelist
cvelist
CVE-2023-2781
2023-06-02 23:37:56
prion
prion
Authentication flaw
2023-06-03 00:15:00
wordfence
wordfence
2023’s Critical WordPress Vulnerabilities and How They Work
2024-02-12 19:11:21
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 29, 2023 to June 4, 2023)
2023-06-08 13:39:51

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.002

Percentile

54.1%

JSON
Related for CVE-2023-2781
nvd1wpvulndb1cvelist1prion1wordfence2