The ShopWP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST API routes in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to call the endpoints and perform unauthorized actions such as updating the plugin's settings and injecting malicious scripts.
Metrics
Affected Vendors & Products
References
History
Wed, 16 Oct 2024 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Shopwp
Shopwp shopwp |
|
CPEs | cpe:2.3:a:shopwp:shopwp:*:*:*:*:*:*:*:* | |
Vendors & Products |
Shopwp
Shopwp shopwp |
|
Metrics |
ssvc
|
Wed, 16 Oct 2024 07:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The ShopWP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST API routes in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to call the endpoints and perform unauthorized actions such as updating the plugin's settings and injecting malicious scripts. | |
Title | ShopWP <= 2.0.4 - Missing Authorization to Stored Cross-Site Scripting | |
Weaknesses | CWE-862 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-10-16T06:43:43.143Z
Updated: 2024-10-16T18:03:06.895Z
Reserved: 2024-10-15T17:43:51.693Z
Link: CVE-2019-25214
Vulnrichment
Updated: 2024-10-16T17:35:28.219Z
NVD
Status : Awaiting Analysis
Published: 2024-10-16T07:15:06.153
Modified: 2024-10-16T16:38:14.557
Link: CVE-2019-25214
Redhat
No data.