CVE-2023-3365
MultiParcels Shipping For WooCommerce < 1.14.14 - Subscriber+ Arbitrary Shipment Deletion
Severity Score
8.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The MultiParcels Shipping For WooCommerce WordPress plugin before 1.14.14 does not have authorisation when deleting shipment, allowing any authenticated users, such as subscriber to delete arbitrary shipment
El complemento MultiParcels Shipping For WooCommerce WordPress anterior a 1.14.14 no tiene autorización al eliminar el envío, lo que permite a cualquier usuario autenticado como subscriptor a eliminar envío arbitrario.
The MultiParcels Shipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'get_history' function in versions up to, and including, 1.14.13. This makes it possible for authenticated attackers with subscriber-level permissions to delete arbitrary shipments.
*Credits:
Erwan LR (WPScan), WPScan
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-06-22 CVE Reserved
- 2023-07-17 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- 2024-08-13 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-862: Missing Authorization
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://wpscan.com/vulnerability/21ce5baa-8085-4053-8d8b-f7d3e2ae70c1 | 2024-08-02 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Multiparcels Search vendor "Multiparcels" | Multiparcels Shipping For Woocommerce Search vendor "Multiparcels" for product "Multiparcels Shipping For Woocommerce" | < 1.14.14 Search vendor "Multiparcels" for product "Multiparcels Shipping For Woocommerce" and version " < 1.14.14" | wordpress |
Affected
| ||||||