The plugin does not correctly implement a capability check on the ‘hf_update_customer’ function, which is triggered via an AJAX action. This omission allows users with shop manager-level permissions to modify data they should not have access to, such as changing user passwords and potentially gaining control over administrator accounts.
CPE | Name | Operator | Version |
---|---|---|---|
users-customers-import-export-for-wp-woocommerce | lt | 2.4.2 |