BuddyPress WooCommerce My Account Integration Missing Capability Check Vulnerability

A vulnerability exists in the BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress, in versions through 3.4.25. The issue arises from a missing capability check in the wc4bp_delete_page() function, allowing authenticated attackers with Subscriber-level access or higher to unauthorized access. This vulnerability enables them to update the plugin's page settings.

Impact

Exploitation of this vulnerability allows for unauthorized updates to the plugin's page settings, potentially leading to unauthorized changes in how WooCommerce member pages are managed or displayed.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'wc4bp_delete_page' action via the WordPress admin AJAX interface. The request can include the 'wc4bp_page' parameter to specify which page settings to update. The absence of a proper capability check allows this action to be performed without the necessary permissions.

Remediation

Users are advised to update the BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin to version 3.4.26 or later, where this vulnerability has been patched.