Yan&Co Aps

**Name of the Vulnerable Software and Affected Versions** WooCommerce EAN Payment Gateway plugin for WordPress versions up to 6.1.0 **Description** The issue is related to unauthorized modification of data due to a missing capability check on the `refresh order ean data` AJAX action. This allows authenticated attackers with contributor-level access and above to update EAN numbers for orders. **Recommendations** For versions up to 6.1.0, update to a version that includes a fix for the missing capability check on the `refresh order ean data` AJAX action. As a temporary workaround, consider restricting access to the `refresh order ean data` AJAX action to prevent unauthorized modification of EAN numbers for orders.

**Name of the Vulnerable Software and Affected Versions** WooCommerce CVR Payment Gateway plugin for WordPress versions up to 6.1.0 **Description** The issue allows unauthorized modification of data due to a missing capability check on the `refresh order cvr data` AJAX action. This makes it possible for authenticated attackers with contributor-level access and above to update CVR numbers for orders. **Recommendations** For versions up to 6.1.0, update to a version that includes a fix for the missing capability check on the `refresh order cvr data` AJAX action. As a temporary workaround, consider restricting access to the `refresh order cvr data` AJAX action to prevent unauthorized modification of data.