CVE-2023-3365
MultiParcels Shipping For WooCommerce < 1.14.14 - Subscriber+ Arbitrary Shipment Deletion
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The MultiParcels Shipping For WooCommerce WordPress plugin before 1.14.14 does not have authorisation when deleting shipment, allowing any authenticated users, such as subscriber to delete arbitrary shipment
El complemento MultiParcels Shipping For WooCommerce WordPress anterior a 1.14.14 no tiene autorización al eliminar el envío, lo que permite a cualquier usuario autenticado como subscriptor a eliminar envío arbitrario.
The MultiParcels Shipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'get_history' function in versions up to, and including, 1.14.13. This makes it possible for authenticated attackers with subscriber-level permissions to delete arbitrary shipments.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-06-22 CVE Reserved
- 2023-07-17 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- 2024-08-13 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-862: Missing Authorization
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://wpscan.com/vulnerability/21ce5baa-8085-4053-8d8b-f7d3e2ae70c1 | 2024-08-02 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Multiparcels Search vendor "Multiparcels" | Multiparcels Shipping For Woocommerce Search vendor "Multiparcels" for product "Multiparcels Shipping For Woocommerce" | < 1.14.14 Search vendor "Multiparcels" for product "Multiparcels Shipping For Woocommerce" and version " < 1.14.14" | wordpress |
Affected
|