Main Vulnerability Database Vulnerabilities #VU48207

#VU48207 Improper access control in WooCommerce Blocks

Published: November 9, 2020

Vulnerability identifier: #VU48207

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
WooCommerce Blocks

Software vendor:
Automattic

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote authenticated attacker can create accounts during checkout even when the "Allow customers to create an account during checkout" setting is disabled.

Remediation

Install updates from vendor's website.

External links

https://wpscan.com/vulnerability/10460
https://developer.woocommerce.com/2020/11/05/developer-advisory-spam-orders-and-accounts-from-bots/
https://github.com/woocommerce/woocommerce-gutenberg-products-block/pull/3371

#VU48207 Improper access control in WooCommerce Blocks

Description

Remediation

External links

Please verify you're human