Lucene search

WordfenceCVELIST:CVE-2024-1689

HistoryJun 07, 2024 - 2:02 a.m.

CVE-2024-1689 WooCommerce Tools <= 1.2.9 - Missing Authorization to Authenticated (Subscriber+) Plugin Module Deactivation

2024-06-0702:02:36

Wordfence

www.cve.org

woocommerce tools

wordpress

authorization

vulnerability

plugin module deactivation

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

20.6%

JSON

The WooCommerce Tools plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woocommerce_tool_toggle_module() function in all versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to deactivate arbitrary plugin modules.

CNA Affected

[
  {
    "vendor": "themefarmer",
    "product": "WooCommerce Tools",
    "versions": [
      {
        "version": "*",
        "status": "affected",
        "lessThanOrEqual": "1.2.9",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

plugins.trac.wordpress.org/browser/woo-tools/trunk/admin/admin-init.php#L61

plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3098165%40woo-tools&new=3098165%40woo-tools&sfp_email=&sfph_mail=

www.wordfence.com/threat-intel/vulnerabilities/id/3830c901-be36-4c4b-976b-d388b6af0c67?source=cve

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

20.6%

JSON

Related for CVELIST:CVE-2024-1689