Authentication Bypass Vulnerability in Customer Email Verification for WooCommerce Plugin by WordPress
CVE-2024-13528

7.5HIGH

Key Information:

Vendor
WordPress
Vendor
CVE Published:
12 February 2025

Summary

The Customer Email Verification for WooCommerce plugin for WordPress is susceptible to an authentication bypass vulnerability affecting versions up to 2.9.5. This issue arises from a shortcode allowing the generation of confirmation links utilizing a placeholder email. Authenticated attackers with Contributor-level access can exploit this flaw to create a verification link for any unverified user, gaining unauthorized access to their accounts. The exploit requires the 'Fine tune placement' option to be activated within the plugin settings, elevating the associated risk for website administrators and users.

Affected Version(s)

Customer Email Verification for WooCommerce * <= 2.9.5

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

wesley
.