CVE-2021-4347

Exploit

EPSS 0.09%
Published 07.06.2023 02:15:13
Last modified 21.11.2024 06:37:28
Source security@wordfence.com
Teams watchlist Login
Open Login

The function update_shipment_status_email_status_fun in the plugin Advanced Shipment Tracking for WooCommerce in versions up to 3.2.6 is vulnerable to authenticated arbitrary options update. The function allows attackers (including those at customer level) to update any WordPress option in the database. Version 3.2.5 was initially released as a fix, but doesn't fully address the issue.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Zorem ≫ Advanced Shipment Tracking For Woocommerce SwPlatformwordpress Version <= 3.2.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.09%	0.232

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
security@wordfence.com	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://blog.nintechnet.com/wordpress-advanced-shipment-tracking-for-woocommerce-fixed-critical-vulnerability/

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/4174b47a-75d0-4ada-bd4d-efbaf0b1a049?source=cve

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-4347

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-4347

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-4347

EUVD