PT-2020-12647 · Automattic+2 · Woocommerce+2

Jack Misiura

Published

2020-08-26

Updated

2020-09-01

CVE-2020-11497

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions NAB Transact extension version 2.1.0 for the WooCommerce plugin for WordPress

Description An issue allows orders to be marked as fully paid by assigning an arbitrary bank transaction ID during the payment-details entry step, effectively bypassing the online payment system.

Recommendations For NAB Transact extension version 2.1.0, update to a newer version that contains a fix for this issue, as assigning arbitrary bank transaction IDs could lead to unauthorized order fulfillment. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-354

Related Identifiers

CVE-2020-11497

Affected Products

Nab Transact Extension

Woocommerce

Wordpress

PT-2020-12647 · Automattic+2 · Woocommerce+2

CVE-2020-11497

Weakness Enumeration

Related Identifiers

Affected Products

References · 5