CVE-2024-9927

The WooCommerce Order Proposal plugin for WordPress is vulnerable to privilege escalation via order proposal in all versions up to and including 2.0.5. This is due to the improper implementation of allow_payment_without_login function. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to log in to WordPress as an arbitrary user account, including administrators.
Configurations

Configuration 1 (hide)

cpe:2.3:a:wpovernight:woocommerce_order_proposal:*:*:*:*:*:wordpress:*:*

History

25 Oct 2024, 16:29

Type Values Removed Values Added
First Time Wpovernight
Wpovernight woocommerce Order Proposal
CPE cpe:2.3:a:wpovernight:woocommerce_order_proposal:*:*:*:*:*:wordpress:*:*
References () https://wpovernight.com/downloads/woocommerce-order-proposal/ - () https://wpovernight.com/downloads/woocommerce-order-proposal/ - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/cdc993a4-6f65-4570-811c-13a80dbec064?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/cdc993a4-6f65-4570-811c-13a80dbec064?source=cve - Third Party Advisory

23 Oct 2024, 15:12

Type Values Removed Values Added
Summary
  • (es) El complemento WooCommerce Order Proposal para WordPress es vulnerable a la escalada de privilegios a través de la propuesta de pedido en todas las versiones hasta la 2.0.5 incluida. Esto se debe a la implementación incorrecta de la función allow_payment_without_login. Esto hace posible que atacantes autenticados, con acceso de nivel de administrador de tienda y superior, inicien sesión en WordPress con una cuenta de usuario arbitraria, incluidos los administradores.

23 Oct 2024, 02:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-23 02:15

Updated : 2024-10-25 16:29


NVD link : CVE-2024-9927

Mitre link : CVE-2024-9927

CVE.ORG link : CVE-2024-9927


JSON object : View

Products Affected

wpovernight

  • woocommerce_order_proposal
CWE
CWE-287

Improper Authentication