Unauthorized Data Access in WooCommerce Multivendor Marketplace by WCFM
CVE-2023-2275

5.4MEDIUM

Key Information:

Vendor: Wordpress
Status: WooCommerce Multivendor Marketplace – REST API
Vendor: CVE Published:; 9 June 2023

What is CVE-2023-2275?

The WooCommerce Multivendor Marketplace – REST API plugin for WordPress suffers from an access control vulnerability due to inadequate capability checks on key functions such as 'get_item', 'get_order_notes', and 'add_order_note'. This security oversight allows authenticated users with subscriber roles or higher to gain unauthorized access to sensitive order details and notes, as well as to append additional notes to orders. This vulnerability affects versions through 1.5.3, posing a risk to data integrity and confidentiality in e-commerce environments.

Affected Version(s)

WooCommerce Multivendor Marketplace – REST API * <= 1.5.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wcfm-marketpla...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2023
Vulnerability Reserved
Apr 25, 2023

Credit

Lana Codes