Authentication Bypass Vulnerability in Customer Email Verification for WooCommerce Plugin by WordPress
CVE-2024-13528
7.5HIGH
Key Information:
- Vendor
- WordPress
- Vendor
- CVE Published:
- 12 February 2025
Summary
The Customer Email Verification for WooCommerce plugin for WordPress is susceptible to an authentication bypass vulnerability affecting versions up to 2.9.5. This issue arises from a shortcode allowing the generation of confirmation links utilizing a placeholder email. Authenticated attackers with Contributor-level access can exploit this flaw to create a verification link for any unverified user, gaining unauthorized access to their accounts. The exploit requires the 'Fine tune placement' option to be activated within the plugin settings, elevating the associated risk for website administrators and users.
Affected Version(s)
Customer Email Verification for WooCommerce * <= 2.9.5
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
wesley