WooCommerce Customers Manager < 29.8 - Subscriber+ Email Disclosure
CVE-2024-1756

Currently unrated

Key Information:

Vendor: Wordpress
Status: WooCommerce Customers Manager
Vendor: CVE Published:; 24 April 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The WooCommerce Customers Manager WordPress plugin before 29.8 does not have authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber, to call it and retrieve the list of customer email addresses along with their id, first name and last name

Affected Version(s)

WooCommerce Customers Manager 0 < 29.8

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-1756 - Proof of Concept

References

https://wpscan.com/vulnerability/0baedd8d-2bbe-4091-bec4-...

exploitvdb-entrytechnical-description

Timeline

🟡
Public PoC available
Apr 24, 2024
👾
Exploit known to exist
Apr 24, 2024
Vulnerability published
Apr 24, 2024
Vulnerability Reserved
Feb 22, 2024

Credit

Erwan LR (WPScan)

WPScan