First published: Mon May 15 2023(Updated: )
The WooCommerce Order Status Change Notifier WordPress plugin through 1.1.0 does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Woocommerce Woocommerce Order Status Change Notifier | <=1.1.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for the WooCommerce Order Status Change Notifier WordPress plugin is CVE-2023-2179.
The severity of CVE-2023-2179 is medium with a CVSS score of 6.5.
The affected software is the WooCommerce Order Status Change Notifier WordPress plugin version up to and including 1.1.0.
CVE-2023-2179 allows low privilege users, such as subscribers, to update arbitrary order status on WooCommerce, potentially leading to unauthorized changes in the system.
To fix CVE-2023-2179, it is recommended to update the WooCommerce Order Status Change Notifier WordPress plugin to a version beyond 1.1.0 that includes the necessary authorization and CSRF protections.