5.3

CVE-2020-29156

Exploit

WooCommerce < 4.7.0 - Insecure Direct Object Reference via order_id Parameter

The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.
Mögliche Gegenmaßnahme
WooCommerce: Update to version 4.7.0, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WoocommerceWoocommerce SwPlatformwordpress Version < 4.7.0
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt WooCommerce
Version [*, 4.7.0)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.03% 0.893
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://github.com/Ko-kn3t/CVE-2020-29156
Third Party Advisory
Exploit
https://raw.githubusercontent.com/woocommerce/woocommerce/master/changelog.txt
Third Party Advisory
Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/4279efe9-df57-405a-85a0-6c22e912662c
Third Party Advisory