WooCommerce Customers Manager Plugin Vulnerable to Authorization Bypass and Stored Cross-Site Scripting
CVE-2024-1747

Currently unrated

Key Information:

Vendor: Wordpress
Status: WooCommerce Customers Manager
Vendor: CVE Published:; 1 August 2024

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-1747?

The WooCommerce Customers Manager WordPress plugin before 30.2 does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create customer metadata, also leading to Stored Cross-Site Scripting due to the lack of escaping of said metadata values.

Affected Version(s)

WooCommerce Customers Manager 0 < 30.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-1747 - Proof of Concept

References

https://wpscan.com/vulnerability/17e45d4d-0ee1-4863-a8a4-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Aug 1, 2024
👾
Exploit known to exist
Aug 1, 2024
Vulnerability published
Aug 1, 2024
Vulnerability Reserved
Feb 22, 2024

Credit

Erwan LR (WPScan)

WPScan

Wordpress