Vulnerabilites related to vanquish - woocommerce_customers_manager
Vulnerability from fkie_nvd
Published
2024-04-15 05:15
Modified
2025-04-07 14:48
Severity ?
Summary
The WooCommerce Customers Manager WordPress plugin before 29.7 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to an SQL injection exploitable by Subscriber+ role.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/1550e30c-bf80-48e0-bc51-67d29ebe7272/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/1550e30c-bf80-48e0-bc51-67d29ebe7272/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanquish | woocommerce_customers_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanquish:woocommerce_customers_manager:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "061E5628-EA25-4B28-9FEF-2C24949927F7",
"versionEndExcluding": "29.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Customers Manager WordPress plugin before 29.7 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to an SQL injection exploitable by Subscriber+ role."
},
{
"lang": "es",
"value": "El complemento WooCommerce Customers Manager de WordPress anterior a la versi\u00f3n 29.7 no sanitiza ni escapa adecuadamente un par\u00e1metro antes de usarlo en una declaraci\u00f3n SQL, lo que genera una inyecci\u00f3n de SQL explotable por el rol Suscriptor+."
}
],
"id": "CVE-2024-0399",
"lastModified": "2025-04-07T14:48:35.920",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-04-15T05:15:14.627",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/1550e30c-bf80-48e0-bc51-67d29ebe7272/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/1550e30c-bf80-48e0-bc51-67d29ebe7272/"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-04-24 05:15
Modified
2025-05-07 18:00
Severity ?
Summary
The WooCommerce Customers Manager WordPress plugin before 29.8 does not have authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber, to call it and retrieve the list of customer email addresses along with their id, first name and last name
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/0baedd8d-2bbe-4091-bec4-f99e25d7290d/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/0baedd8d-2bbe-4091-bec4-f99e25d7290d/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanquish | woocommerce_customers_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanquish:woocommerce_customers_manager:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "64A3C894-1110-4487-9531-F9CB7A6BB807",
"versionEndExcluding": "29.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Customers Manager WordPress plugin before 29.8 does not have authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber, to call it and retrieve the list of customer email addresses along with their id, first name and last name"
},
{
"lang": "es",
"value": "El complemento WooCommerce Customers Manager de WordPress anterior a 29.8 no tiene autorizaci\u00f3n ni CSRF en una acci\u00f3n AJAX, lo que permite a cualquier usuario autenticado, como un suscriptor, llamarlo y recuperar la lista de direcciones de correo electr\u00f3nico de los clientes junto con su identificaci\u00f3n, nombre y apellido."
}
],
"id": "CVE-2024-1756",
"lastModified": "2025-05-07T18:00:10.313",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-04-24T05:15:47.020",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/0baedd8d-2bbe-4091-bec4-f99e25d7290d/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/0baedd8d-2bbe-4091-bec4-f99e25d7290d/"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-01 06:15
Modified
2025-05-29 17:23
Severity ?
Summary
The WooCommerce Customers Manager WordPress plugin before 30.2 does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create customer metadata, also leading to Stored Cross-Site Scripting due to the lack of escaping of said metadata values.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/17e45d4d-0ee1-4863-a8a4-df8587f448ec/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanquish | woocommerce_customers_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanquish:woocommerce_customers_manager:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "F7FE51D0-8FDF-4B96-9E85-A341F8612D50",
"versionEndExcluding": "30.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Customers Manager WordPress plugin before 30.2 does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create customer metadata, also leading to Stored Cross-Site Scripting due to the lack of escaping of said metadata values."
},
{
"lang": "es",
"value": " El complemento de WordPress WooCommerce Customers Manager anterior a 30.2 no tiene autorizaci\u00f3n ni CSRF en varias acciones AJAX, lo que permite a cualquier usuario autenticado, como un suscriptor, llamarlos y actualizar/eliminar/crear metadatos del cliente, lo que tambi\u00e9n genera Cross Site Scripting almacenado debido a la falta de escape de dichos valores de metadatos."
}
],
"id": "CVE-2024-1747",
"lastModified": "2025-05-29T17:23:24.683",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 3.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-08-01T06:15:01.980",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/17e45d4d-0ee1-4863-a8a4-df8587f448ec/"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-02-01 04:15
Modified
2025-02-24 16:21
Severity ?
Summary
The WooCommerce Customers Manager plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_assign_new_roles() function in all versions up to, and including, 31.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanquish | woocommerce_customers_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanquish:woocommerce_customers_manager:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "ADA0EC91-5D22-4D0C-A1A2-687283717151",
"versionEndExcluding": "31.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Customers Manager plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_assign_new_roles() function in all versions up to, and including, 31.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator."
},
{
"lang": "es",
"value": "El complemento WooCommerce Customers Manager para WordPress es vulnerable a la escalada de privilegios debido a una verificaci\u00f3n de capacidad faltante en la funci\u00f3n ajax_assign_new_roles() en todas las versiones hasta la 31.3 y incluida. Esto permite que los atacantes autenticados, con acceso de nivel de suscriptor y superior, eleven sus privilegios a los de un administrador."
}
],
"id": "CVE-2024-13343",
"lastModified": "2025-02-24T16:21:30.933",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2025-02-01T04:15:30.717",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://codecanyon.net/item/woocommerce-customers-manager/10965432"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/193c9fe9-17bc-47e7-b93d-dfcebcf8004d?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-04-24 05:15
Modified
2025-05-07 18:00
Severity ?
Summary
The WooCommerce Customers Manager WordPress plugin before 29.8 does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/3cb1f707-6093-42a7-a778-2b296bdf1735/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/3cb1f707-6093-42a7-a778-2b296bdf1735/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanquish | woocommerce_customers_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanquish:woocommerce_customers_manager:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "64A3C894-1110-4487-9531-F9CB7A6BB807",
"versionEndExcluding": "29.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Customers Manager WordPress plugin before 29.8 does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin"
},
{
"lang": "es",
"value": "El complemento de WordPress WooCommerce Customers Manager anterior a la versi\u00f3n 29.8 no sanitiza ni escapa de varios par\u00e1metros antes de devolverlos a p\u00e1ginas y atributos, lo que genera Cross-Site Scripting Reflejado que podr\u00eda usarse contra usuarios con privilegios elevados, como administradores."
}
],
"id": "CVE-2024-1743",
"lastModified": "2025-05-07T18:00:27.810",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 3.4,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-04-24T05:15:46.977",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/3cb1f707-6093-42a7-a778-2b296bdf1735/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/3cb1f707-6093-42a7-a778-2b296bdf1735/"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-01 06:15
Modified
2025-05-29 17:22
Severity ?
Summary
The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via CSRF attacks
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/e4059d66-07b9-4f1a-a461-d6e8f0e98eec/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanquish | woocommerce_customers_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanquish:woocommerce_customers_manager:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "2D7FA155-E24B-458E-BC23-4E44C0B17216",
"versionEndExcluding": "30.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via CSRF attacks"
},
{
"lang": "es",
"value": " El complemento de WordPress WooCommerce Customers Manager anterior a la versi\u00f3n 30.1 no tiene comprobaciones CSRF en algunas acciones masivas, lo que podr\u00eda permitir a los atacantes hacer que los administradores que han iniciado sesi\u00f3n realicen acciones no deseadas, como eliminar clientes mediante ataques CSRF."
}
],
"id": "CVE-2024-3983",
"lastModified": "2025-05-29T17:22:34.450",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-08-01T06:15:02.517",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/e4059d66-07b9-4f1a-a461-d6e8f0e98eec/"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-01 06:15
Modified
2025-05-29 17:23
Severity ?
Summary
The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin users delete users via CSRF attacks
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/fec4e077-4c4e-4618-bfe8-61fdba59b696/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vanquish | woocommerce_customers_manager | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vanquish:woocommerce_customers_manager:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "2D7FA155-E24B-458E-BC23-4E44C0B17216",
"versionEndExcluding": "30.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin users delete users via CSRF attacks"
},
{
"lang": "es",
"value": " El complemento de WordPress WooCommerce Customers Manager anterior a 30.1 no tiene comprobaciones CSRF en algunos lugares, lo que podr\u00eda permitir a los atacantes hacer que los usuarios administradores registrados eliminen usuarios mediante ataques CSRF."
}
],
"id": "CVE-2024-2843",
"lastModified": "2025-05-29T17:23:03.117",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-08-01T06:15:02.367",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/fec4e077-4c4e-4618-bfe8-61fdba59b696/"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-0399 (GCVE-0-2024-0399)
Vulnerability from cvelistv5
Published
2024-04-15 05:00
Modified
2025-03-27 20:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The WooCommerce Customers Manager WordPress plugin before 29.7 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to an SQL injection exploitable by Subscriber+ role.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/1550e30c-bf80-48e0-bc51-67d29ebe7272/ | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | WooCommerce Customers Manager |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/1550e30c-bf80-48e0-bc51-67d29ebe7272/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:woocommerce:woocommerce_customers_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "woocommerce_customers_manager",
"vendor": "woocommerce",
"versions": [
{
"lessThan": "29.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-0399",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-15T13:37:28.875784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T20:44:28.266Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WooCommerce Customers Manager",
"vendor": "Unknown",
"versions": [
{
"lessThan": "29.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ivan Spiridonov"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Customers Manager WordPress plugin before 29.7 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to an SQL injection exploitable by Subscriber+ role."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-15T05:00:01.875Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/1550e30c-bf80-48e0-bc51-67d29ebe7272/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WooCommerce Customers Manager \u003c 29.7 - Subscriber+ SQL Injection",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-0399",
"datePublished": "2024-04-15T05:00:01.875Z",
"dateReserved": "2024-01-10T15:10:32.475Z",
"dateUpdated": "2025-03-27T20:44:28.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1747 (GCVE-0-2024-1747)
Vulnerability from cvelistv5
Published
2024-08-01 06:00
Modified
2024-08-01 14:24
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The WooCommerce Customers Manager WordPress plugin before 30.2 does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create customer metadata, also leading to Stored Cross-Site Scripting due to the lack of escaping of said metadata values.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/17e45d4d-0ee1-4863-a8a4-df8587f448ec/ | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | WooCommerce Customers Manager |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:woocommerce:woocommerce_customers_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "woocommerce_customers_manager",
"vendor": "woocommerce",
"versions": [
{
"lessThan": "30.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-1747",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T14:22:46.741519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:24:07.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WooCommerce Customers Manager",
"vendor": "Unknown",
"versions": [
{
"lessThan": "30.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erwan LR (WPScan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Customers Manager WordPress plugin before 30.2 does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create customer metadata, also leading to Stored Cross-Site Scripting due to the lack of escaping of said metadata values."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T06:00:02.536Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/17e45d4d-0ee1-4863-a8a4-df8587f448ec/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WooCommerce Customers Manager \u003c 30.2 - Subscriber+ Stored XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-1747",
"datePublished": "2024-08-01T06:00:02.536Z",
"dateReserved": "2024-02-22T14:14:40.146Z",
"dateUpdated": "2024-08-01T14:24:07.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1743 (GCVE-0-2024-1743)
Vulnerability from cvelistv5
Published
2024-04-24 05:00
Modified
2024-08-01 18:48
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The WooCommerce Customers Manager WordPress plugin before 29.8 does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/3cb1f707-6093-42a7-a778-2b296bdf1735/ | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | WooCommerce Customers Manager |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:woocommerce:woocommerce_customers_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "woocommerce_customers_manager",
"vendor": "woocommerce",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-1743",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-01T18:12:24.255726Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:59:47.689Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.661Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/3cb1f707-6093-42a7-a778-2b296bdf1735/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WooCommerce Customers Manager",
"vendor": "Unknown",
"versions": [
{
"lessThan": "29.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erwan LR (WPScan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Customers Manager WordPress plugin before 29.8 does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-24T05:00:02.107Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/3cb1f707-6093-42a7-a778-2b296bdf1735/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WooCommerce Customers Manager \u003c 29.8 - Reflected XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-1743",
"datePublished": "2024-04-24T05:00:02.107Z",
"dateReserved": "2024-02-22T13:43:57.106Z",
"dateUpdated": "2024-08-01T18:48:21.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-13343 (GCVE-0-2024-13343)
Vulnerability from cvelistv5
Published
2025-02-01 03:21
Modified
2025-02-03 16:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
The WooCommerce Customers Manager plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_assign_new_roles() function in all versions up to, and including, 31.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Vanquish | WooCommerce Customers Manager |
Version: * ≤ 31.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13343",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T16:22:45.461259Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T16:38:53.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WooCommerce Customers Manager",
"vendor": "Vanquish",
"versions": [
{
"lessThanOrEqual": "31.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aiden"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Customers Manager plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_assign_new_roles() function in all versions up to, and including, 31.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-01T03:21:10.638Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/193c9fe9-17bc-47e7-b93d-dfcebcf8004d?source=cve"
},
{
"url": "https://codecanyon.net/item/woocommerce-customers-manager/10965432"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-31T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "WooCommerce Customers Manager \u003c= 31.3 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13343",
"datePublished": "2025-02-01T03:21:10.638Z",
"dateReserved": "2025-01-10T19:53:38.330Z",
"dateUpdated": "2025-02-03T16:38:53.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1756 (GCVE-0-2024-1756)
Vulnerability from cvelistv5
Published
2024-04-24 05:00
Modified
2025-03-20 19:17
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The WooCommerce Customers Manager WordPress plugin before 29.8 does not have authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber, to call it and retrieve the list of customer email addresses along with their id, first name and last name
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/0baedd8d-2bbe-4091-bec4-f99e25d7290d/ | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | WooCommerce Customers Manager |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-1756",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-02T17:31:41.358060Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-20T19:17:32.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:48:21.980Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/0baedd8d-2bbe-4091-bec4-f99e25d7290d/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WooCommerce Customers Manager",
"vendor": "Unknown",
"versions": [
{
"lessThan": "29.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erwan LR (WPScan)"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Customers Manager WordPress plugin before 29.8 does not have authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber, to call it and retrieve the list of customer email addresses along with their id, first name and last name"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-24T05:00:02.329Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/0baedd8d-2bbe-4091-bec4-f99e25d7290d/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WooCommerce Customers Manager \u003c 29.8 - Subscriber+ Email Disclosure",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-1756",
"datePublished": "2024-04-24T05:00:02.329Z",
"dateReserved": "2024-02-22T14:49:52.054Z",
"dateUpdated": "2025-03-20T19:17:32.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-3983 (GCVE-0-2024-3983)
Vulnerability from cvelistv5
Published
2024-08-01 06:00
Modified
2024-08-01 16:08
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via CSRF attacks
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/e4059d66-07b9-4f1a-a461-d6e8f0e98eec/ | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | WooCommerce Customers Manager |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:woocommerce:woocommerce_customers_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "woocommerce_customers_manager",
"vendor": "woocommerce",
"versions": [
{
"lessThan": "30.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-3983",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T13:16:41.169787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T16:08:02.885Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WooCommerce Customers Manager",
"vendor": "Unknown",
"versions": [
{
"lessThan": "30.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bob Matyas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via CSRF attacks"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T06:00:05.102Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/e4059d66-07b9-4f1a-a461-d6e8f0e98eec/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WooCommerce Customers Manager \u003c 30.1 - Bulk Action via CSRF",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-3983",
"datePublished": "2024-08-01T06:00:05.102Z",
"dateReserved": "2024-04-19T13:17:33.380Z",
"dateUpdated": "2024-08-01T16:08:02.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-2843 (GCVE-0-2024-2843)
Vulnerability from cvelistv5
Published
2024-08-01 06:00
Modified
2024-08-07 20:03
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin users delete users via CSRF attacks
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/fec4e077-4c4e-4618-bfe8-61fdba59b696/ | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | WooCommerce Customers Manager |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:woocommerce:woocommerce_customers_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "woocommerce_customers_manager",
"vendor": "woocommerce",
"versions": [
{
"lessThan": "30.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-2843",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T19:46:21.505062Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-07T20:03:11.414Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WooCommerce Customers Manager",
"vendor": "Unknown",
"versions": [
{
"lessThan": "30.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bob Matyas"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin users delete users via CSRF attacks"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T06:00:03.997Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/fec4e077-4c4e-4618-bfe8-61fdba59b696/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WooCommerce Customers Manager \u003c 30.1 - User Deletion via CSRF",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-2843",
"datePublished": "2024-08-01T06:00:03.997Z",
"dateReserved": "2024-03-22T19:55:47.274Z",
"dateUpdated": "2024-08-07T20:03:11.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}