BNG Gateway For Woocommerce <= 1.6.10 - CSRF Bypass

The plugin does not properly perform CSRF checks, allowing attackers to make logged in users perform unwanted actions, such as add a new billing method to an existing customer, and delete a payment method...

New Relic: Restricted User can view multiple account details including customer_root_account_id, payment method, date of first payment, etc.

Summary When a restricted user visits this URL: There is a request sent to this URL: https://www.staging-bam.nr-data.net. Within that request leaks the following information about the entire account, that the restricted user can view:...