CVE-2023-0865 – WooCommerce Multiple Customer Addresses & Shipping < 21.7 - Arbitrary Address Creation/Deletion/Access/Update via IDOR

https://notcve.org/view.php?id=CVE-2023-0865

The WooCommerce Multiple Customer Addresses & Shipping WordPress plugin before 21.7 does not ensure that the address to add/update/retrieve/delete and duplicate belong to the user making the request, or is from a high privilege users, allowing any authenticated users, such as subscriber to add/update/duplicate/delete as well as retrieve addresses of other users. The WooCommerce Multiple Customer Addresses & Shipping plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 21.6. This is due to missing protections on the plugin's administrative functions. This makes it possible for subscriber-level attackers to create, delete, view, and update addresses of other users. • https://wpscan.com/vulnerability/e39c0171-ed4a-4143-9a31-c407e3555eec • CWE-639: Authorization Bypass Through User-Controlled Key •