WPFactory Customer Email Verification for WooCommerce
Moderate fix1 remedy
cpe:2.3:a:wpfactory:customer_email_verification_for_woocommerce:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 2.9.4
Customer Email Verification for WooCommerce Sensitive Information Exposure Vulnerability
Vulnerability
Patched
A vulnerability allowing sensitive information exposure has been identified in the Customer Email Verification for WooCommerce plugin for WordPress, affecting all versions through 2.9.4. This vulnerability allows authenticated attackers with Contributor-level access and above to access sensitive data, including user emails and hashed passwords.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive user information, specifically emails and hashed passwords.
Reproduction
The vulnerability can be reproduced by an authenticated user with Contributor-level access or higher. Once logged in, the user can use specific shortcodes provided by the plugin to access the sensitive information. The 'alg_wc_ev_new_user_info' shortcode can be used to retrieve email addresses, while the 'alg_wc_ev_verification_status' shortcode can be employed to check the verification status of users, which indirectly exposes hashed passwords.
Remediation
Users are advised to update the plugin to version 2.9.5 or later.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
2.5exploitability
6.4remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.