WooCommerce Plugin Vulnerable to Insecure Direct Object Reference

CVE-2023-6897

Summary

The EAN for WooCommerce plugin exposes an Insecure Direct Object Reference vulnerability that impacts all versions up to and including 4.9.2. This flaw arises from the absence of proper validation on a user-controlled key within the 'alg_wc_ean_product_meta' shortcode. As a result, authenticated attackers with contributor-level access or higher can exploit this vulnerability, potentially revealing sensitive post metadata, compromising user privacy and data integrity.

References