Data Loss Vulnerability in WooCommerce Email Customizer Plugin for WordPress
CVE-2024-13747
4.3MEDIUM
Key Information:
- Vendor
- Cidcode
- Status
- Woomail - WooCommerce Email Customizer
- Vendor
- CVE Published:
- 5 March 2025
Summary
The WooMail - WooCommerce Email Customizer plugin for WordPress has a security flaw that allows authenticated users, with Subscriber-level access and above, to exploit a missing capability check in the 'template_delete_saved' function. This vulnerability can lead to unauthorized data loss as attackers can inject SQL commands into an existing post deletion query, potentially compromising sensitive information within the WooCommerce environment. It is vital for users of versions up to 3.0.34 to take immediate action to mitigate this risk.
Affected Version(s)
WooMail - WooCommerce Email Customizer * <= 3.0.34
References
CVSS V3.1
Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Lucio Sá