CVE-2023-0865

Published: Mar 20, 2023Modified: Feb 26, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The WooCommerce Multiple Customer Addresses & Shipping WordPress plugin before 21.7 does not ensure that the address to add/update/retrieve/delete and duplicate belong to the user making the request, or is from a high privilege users, allowing any authenticated users, such as subscriber to add/update/duplicate/delete as well as retrieve addresses of other users.

Affected (1)

Products: Woocommerce Multiple Customer Addresses & Shipping Project: Woocommerce Multiple Customer Addresses & Shipping

Woocommerce Multiple Customer Addresses & Shipping Project

1 product

Woocommerce Multiple Customer Addresses & Shipping

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Woocommerce Multiple Customer Addresses & Shipping Project Woocommerce Multiple Customer Addresses & Shipping	Before 21.7

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

https://wpscan.com/vulnerability/e39c0171-ed4a-4143-9a31-c407e3555eec

Source: contact@wpscan.com

ExploitThird Party Advisory

https://wpscan.com/vulnerability/e39c0171-ed4a-4143-9a31-c407e3555eec

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.