CVE-2023-2179

Published: May 15, 2023Modified: Jan 24, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

The WooCommerce Order Status Change Notifier WordPress plugin through 1.1.0 does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example

Affected (1)

Products: Woocommerce: Woocommerce Order Status Change Notifier

Woocommerce

1 product

Woocommerce Order Status Change Notifier

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Woocommerce Woocommerce Order Status Change Notifier	Up to 1.1.0

References (2)

https://wpscan.com/vulnerability/fbc56973-4225-4f44-8c38-d488e57cd551

Source: contact@wpscan.com

Exploit

https://wpscan.com/vulnerability/fbc56973-4225-4f44-8c38-d488e57cd551

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

Timeline

No history available yet.