Order Notification for WooCommerce Unauthenticated REST Permission Bypass Vulnerability
Vulnerability
A vulnerability in the Order Notification for WooCommerce WordPress plugin, affecting versions prior to 3.6.3, allows unauthenticated users to bypass WooCommerce's permission checks. This oversight grants full read and write access to store resources, including products, coupons, and customer data, without requiring authentication.
Impact
Exploitation of this vulnerability could lead to unauthorized access and manipulation of WooCommerce store resources, such as products, coupons, and customer information.
Reproduction
To reproduce this vulnerability, send unauthenticated requests to the WooCommerce REST API endpoints for products or coupons. For example, products can be listed without authentication, and new products or coupons can be created by posting to the respective API endpoints, also without authentication.
Remediation
Users are advised to update the Order Notification for WooCommerce WordPress plugin to version 3.6.3 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.