2 results (0.004 seconds)

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-47681 – WordPress WooCommerce Checkout Manager plugin <= 7.3.0 - Broken Access Control vulnerability

https://notcve.org/view.php?id=CVE-2023-47681

Missing Authorization vulnerability in QuadLayers WooCommerce Checkout Manager.This issue affects WooCommerce Checkout Manager: from n/a through 7.3.0. Vulnerabilidad de autorización faltante en QuadLayers WooCommerce Checkout Manager. Este problema afecta a WooCommerce Checkout Manager: desde n/a hasta 7.3.0. The WooCommerce Checkout Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ajax_order_attachment_upload and ajax_delete_attachment functions hooked via AJAX in versions up to, and including, 7.3.0. This makes it possible for unauthenticated attackers to update arbitrary order attachments and delete them. • https://patchstack.com/database/vulnerability/woocommerce-checkout-manager/wordpress-woocommerce-checkout-manager-plugin-7-3-0-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

CVE-2019-11807 – WooCommerce Checkout Manager <= 4.2.6 - Unauthenticated Arbitrary Media Deletion

https://notcve.org/view.php?id=CVE-2019-11807

The WooCommerce Checkout Manager plugin before 4.3 for WordPress allows media deletion via the wp-admin/admin-ajax.php?action=update_attachment_wccm wccm_default_keys_load parameter because of a nopriv_ registration and a lack of capabilities checks. El plugin WooCommerce Checkout Manager en versiones anteriores a la 4.3 para WordPress, permite la eliminación de medios a través del parámetro wp-admin/admin-ajax.php?action=update_attachment_wccm wccm_default_keys_load a causa de nopriv_ registration y una falta de comprobación de las capacidades. • https://wpvulndb.com/vulnerabilities/9262 https://www.wordfence.com/blog/2019/05/unauthenticated-media-deletion-vulnerability-patched-in-woocommerce-checkout-manager-plugin • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-862: Missing Authorization •