CVE-2024-9927 Vulnerability Details

  /     /     /  

CVE-2024-9927 Metadata Quick Info

CVE Published: 23/10/2024 | CVE Updated: 23/10/2024 | CVE Year: 2024
Source: Wordfence | Vendor: WP Overnight BV | Product: WooCommerce Order Proposal
Status : PUBLISHED

CVE-2024-9927 Description

The WooCommerce Order Proposal plugin for WordPress is vulnerable to privilege escalation via order proposal in all versions up to and including 2.0.5. This is due to the improper implementation of allow_payment_without_login function. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to log in to WordPress as an arbitrary user account, including administrators.

Metrics

CVSS Version: 3.1 | Base Score: 7.2 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-287
CWE Name: CWE-287 Improper Authentication
Source: WP Overnight BV

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description: