CVE-2023-2179

Name of the Vulnerable Software and Affected Versions WooCommerce Order Status Change Notifier WordPress plugin version 1.1.0 and earlier

Description The issue is related to a lack of authorization and CSRF protection when updating order status via an AJAX action, which is available to any authenticated user. This could allow low-privilege users, such as subscribers, to update arbitrary order status, potentially making orders appear paid without actual payment.

Recommendations For WooCommerce Order Status Change Notifier WordPress plugin version 1.1.0 and earlier, consider disabling the AJAX action for updating order status until a patch is available. Restrict access to the order status update functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.