Impact
The vulnerability is an unauthenticated broken access control flaw in Montonio for WooCommerce plugin versions 10.1.2 and earlier, identified by CWE-862. Because the plugin fails to enforce proper authorization checks, users who do not possess valid credentials can potentially perform actions that should be restricted, leading to unauthorized manipulation of the plugin’s configuration or other protected functions.
Affected Systems
WordPress sites that incorporate Montonio for WooCommerce plugin at version 10.1.2 or earlier are affected. The flaw is confined to this plugin and does not extend to core WordPress components or other plugins.
Risk and Exploitability
The CVSS score of 7.5 indicates high severity, while the EPSS score of < 1% reflects a low probability of exploitation. This vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit the flaw by making unauthenticated HTTP requests to the plugin’s endpoints, thereby bypassing authentication checks and gaining access to privileged functions.
OpenCVE Enrichment