WooCommerce Customers Manager < 29.8 - Subscriber+ Email Disclosure
CVE-2024-1756

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: WooCommerce Customers Manager
Vendor: CVE Published:; 24 April 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The WooCommerce Customers Manager WordPress plugin before 29.8 does not have authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber, to call it and retrieve the list of customer email addresses along with their id, first name and last name

Affected Version(s)

WooCommerce Customers Manager 0 < 29.8

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-1756 - Proof of Concept

References

https://wpscan.com/vulnerability/0baedd8d-2bbe-4091-bec4-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Apr 24, 2024
👾
Exploit known to exist
Apr 24, 2024
Vulnerability published
Apr 24, 2024
Vulnerability Reserved
Feb 22, 2024

Credit

Erwan LR (WPScan)

WPScan