Woocommerce Customers Manager

woocommerce_customers_manager

Vendor: Vanquish • 7 CVEs

CVEs (7)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-13343 1Vanquish 1Woocommerce Customers Manager Feb 24, 2025 Feb 1, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 The WooCommerce Customers Manager plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_assign_new_roles() function in all versions up to, and including, 31.3. This make...Show more The WooCommerce Customers Manager plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_assign_new_roles() function in all versions up to, and including, 31.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.Show less
CVE-2024-3983 1Vanquish 1Woocommerce Customers Manager May 29, 2025 Aug 1, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via...Show more The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via CSRF attacksShow less
CVE-2024-2843 1Vanquish 1Woocommerce Customers Manager May 29, 2025 Aug 1, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin users delete users via CSRF attacks
CVE-2024-1747 1Vanquish 1Woocommerce Customers Manager May 29, 2025 Aug 1, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The WooCommerce Customers Manager WordPress plugin before 30.2 does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create cus...Show more The WooCommerce Customers Manager WordPress plugin before 30.2 does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create customer metadata, also leading to Stored Cross-Site Scripting due to the lack of escaping of said metadata values.Show less
CVE-2024-1756 1Vanquish 1Woocommerce Customers Manager May 7, 2025 Apr 24, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The WooCommerce Customers Manager WordPress plugin before 29.8 does not have authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber, to call it and retrieve the list of customer em...Show more The WooCommerce Customers Manager WordPress plugin before 29.8 does not have authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber, to call it and retrieve the list of customer email addresses along with their id, first name and last nameShow less
CVE-2024-1743 1Vanquish 1Woocommerce Customers Manager May 7, 2025 Apr 24, 2024 N/A· v4 5.9 MEDIUM· v3 N/A· v2 The WooCommerce Customers Manager WordPress plugin before 29.8 does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could...Show more The WooCommerce Customers Manager WordPress plugin before 29.8 does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as adminShow less
CVE-2024-0399 1Vanquish 1Woocommerce Customers Manager Apr 7, 2025 Apr 15, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 The WooCommerce Customers Manager WordPress plugin before 29.7 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to an SQL injection exploitable by Subscriber+ role.