Vulnerability Details : CVE-2020-11497
An issue was discovered in the NAB Transact extension 2.1.0 for the WooCommerce plugin for WordPress. An online payment system bypass allows orders to be marked as fully paid by assigning an arbitrary bank transaction ID during the payment-details entry step.
Products affected by CVE-2020-11497
- cpe:2.3:a:woocommerce:nab_transact:2.1.0:*:*:*:*:wordpress:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-11497
0.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-11497
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-11497
-
The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-11497
-
http://seclists.org/fulldisclosure/2020/Aug/13
Full Disclosure: Payment bypass in WordPress - WooCommerce - NAB Transact plugin disclosureExploit;Mailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/158931/WordPress-NAB-Transact-WooCommerce-2.1.0-Payment-Bypass.html
WordPress NAB Transact WooCommerce 2.1.0 Payment Bypass ≈ Packet StormThird Party Advisory
-
https://www.themissinglink.com.au/security-advisories-cve-2020-11497
Advisory cve-2020-11497Exploit;Third Party Advisory
Jump to