CVE-2024-13528

Published: Feb 12, 2025Modified: Feb 18, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 5.9

Source: NVD

Description

The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.9.5. This is due to the presence of a shortcode that will generate a confirmation link with a placeholder email. This makes it possible for authenticated attackers, with Contributor-level access and above, to generate a verification link for any unverified user and log into the account. The 'Fine tune placement' option must be enabled in the plugin settings in order to exploit the vulnerability.

Affected (1)

Products: Wpfactory: Customer Email Verification For Woocommerce

1 product

Customer Email Verification For Woocommerce

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Wpfactory Customer Email Verification For Woocommerce	Before 2.9.6

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (3)

https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.9.2/includes/class-alg-wc-ev-emails.php#L151

Source: security@wordfence.com

Product

https://plugins.trac.wordpress.org/changeset/3238136/

Source: security@wordfence.com

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/0b3798e3-45fe-4829-9012-dc728d4af87f?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.