WooCommerce Plugin Vulnerable to Insecure Direct Object Reference
CVE-2023-6897

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Ean Barcode Generator For WooCommerce: Upc, Isbn & Gtin Inventory
Vendor: CVE Published:; 18 April 2024

What is CVE-2023-6897?

The EAN for WooCommerce plugin exposes an Insecure Direct Object Reference vulnerability that impacts all versions up to and including 4.9.2. This flaw arises from the absence of proper validation on a user-controlled key within the 'alg_wc_ean_product_meta' shortcode. As a result, authenticated attackers with contributor-level access or higher can exploit this vulnerability, potentially revealing sensitive post metadata, compromising user privacy and data integrity.

Affected Version(s)

EAN Barcode Generator for WooCommerce: UPC, ISBN & GTIN Inventory 0 <= 4.9.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3070991/ean-...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2024

CVE-2023-6897 Data

JSON

WordPress

What is CVE-2023-6897?

Affected Version(s)

References

CVSS V3.1

Timeline