First published: Fri Oct 20 2023(Updated: )
The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to missing capability checks on the woobe_bulkoperations_delete function. This makes it possible for authenticated attackers, with subscriber access or higher, to delete products.
Credit: security@wordfence.com security@wordfence.com
Affected Software | Affected Version | How to fix |
---|---|---|
<=1.1.3.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-4924 is a vulnerability in the BEAR for WordPress plugin that allows authenticated attackers with subscriber access or higher to delete products.
The severity of CVE-2023-4924 is medium with a CVSS score of 5.4.
An attacker with authenticated access can exploit CVE-2023-4924 by using the woobe_bulkoperations_delete function to delete products.
Yes, upgrading to a version higher than 1.1.3.3 of the BEAR for WordPress plugin fixes CVE-2023-4924.
You can find more information about CVE-2023-4924 at the following references: [Reference 1](https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L344), [Reference 2](https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1&old=2844667&old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.php), [Reference 3](https://www.wordfence.com/threat-intel/vulnerabilities/id/7dfd0246-4265-4dde-8a1e-18b7042eae74?source=cve)