WPC Order Notes Vulnerable to Cross-Site Request Forgery
CVE-2024-12004

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: WPc Order Notes For WooCommerce
Vendor: CVE Published:; 11 December 2024

What is CVE-2024-12004?

The WPC Order Notes for WooCommerce plugin for WordPress is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability due to inadequate nonce validation in the ajax_update_order_note() function. This flaw allows unauthenticated attackers to exploit the system, potentially injecting malicious web scripts. The attack can occur if a site administrator is misled into clicking a malicious link, enabling the attacker to perform unwanted actions within the application without the administrator's consent. Ensuring proper nonce validation and implementing security measures can help mitigate risks associated with this vulnerability.

Affected Version(s)

WPC Order Notes for WooCommerce * <= 1.5.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/woo-order-note...

https://wordpress.org/plugins/woo-order-notes/#developers

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 11, 2024
Vulnerability Reserved
Nov 29, 2024

Credit

Dale Mavers