Main Vulnerability Database Vulnerabilities #VU48208

#VU48208 Improper access control in WooCommerce

Published: November 9, 2020

Vulnerability identifier: #VU48208

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
WooCommerce

Software vendor:
WooCommerce

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote authenticated attacker can create accounts during checkout even when the "Allow customers to create an account during checkout" setting is disabled.

Remediation

Install updates from vendor's website.

External links

https://wpscan.com/vulnerability/10459
https://developer.woocommerce.com/2020/11/05/developer-advisory-spam-orders-and-accounts-from-bots/
https://github.com/woocommerce/woocommerce/commit/e711a447feaf3d6020204e4319fdd5ba47c3f0b9