WordPress · Woocommerce Order Proposal · CVE-2024-9927
**Name of the Vulnerable Software and Affected Versions**
WooCommerce Order Proposal plugin for WordPress versions up to and including 2.0.5
**Description**
The issue is due to the improper implementation of the `allow payment without login` function, making it possible for authenticated attackers with Shop Manager-level access and above to log in to WordPress as an arbitrary user account, including administrators, via order proposal.
**Recommendations**
For versions up to and including 2.0.5, update to a version later than 2.0.5 to resolve the issue.
As a temporary workaround, consider restricting access to the `allow payment without login` function until a patch is available.