Vulnerability Details : CVE-2023-6327
The ShopLentor (formerly WooLentor) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the purchased_new_products function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to view all products purchased in the past week, along with the users that purchased them.
Vulnerability category: Bypass
Products affected by CVE-2023-6327
Please log in to view affected product information.
Exploit prediction scoring system (EPSS) score for CVE-2023-6327
0.52%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 66 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-6327
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
N/A
|
N/A
|
Wordfence | 2024-05-13 |
|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
Wordfence | 2024-05-14 |
References for CVE-2023-6327
-
https://www.wordfence.com/threat-intel/vulnerabilities/id/263324cb-31b7-40ad-ad7d-4582e128cd75?source=cve
ShopLentor (formerly WooLentor) <= 2.8.7 - Missing Authorization via purchased_new_products
-
https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/2.7.4/includes/modules/sales-notification/class.sale_notification.php
429 Too Many Requests
-
https://plugins.trac.wordpress.org/changeset/3080097/woolentor-addons/trunk/includes/modules/sales-notification/class.sale_notification.php?contextall=1&old=3061864&old_path=%2Fwoolentor-addons%2Ftrunk%2Fincludes%2Fmodules%2Fsales-notification%2Fclass.sale_notification.php
Diff [3061864:3080097] for woolentor-addons/trunk/includes/modules/sales-notification/class.sale_notification.php – WordPress Plugin Repository
Jump to