CVE-2023-28121

Published: Apr 12, 2023Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.

Affected (9)

Products: Automattic: Woocommerce Payments, Woopayments

Automattic

2 products

Woocommerce Payments

Woopayments

Configuration A

9 vulnerable

Vulnerable Software	Affected Versions
Automattic Woocommerce Payments	From 4.8.0 to 4.8.2
Automattic Woocommerce Payments	From 5.0.0 to 5.0.4
Automattic Woocommerce Payments	From 5.1.0 to 5.1.3
Automattic Woocommerce Payments	From 5.2.0 to 5.2.2
Automattic Woocommerce Payments	From 5.5.0 to 5.5.2
Automattic Woopayments	From 5.6.0 to 5.6.2
Automattic Woopayments	Version 4.9.0
Automattic Woopayments	Version 5.3.0
Automattic Woopayments	Version 5.4.0

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (4)

https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/

Source: support@hackerone.com

Vendor Advisory

https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a-woocommerce/

Source: support@hackerone.com

https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a-woocommerce/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.