CVE-2023-2781

Name of the Vulnerable Software and Affected Versions User Email Verification for WooCommerce plugin for WordPress versions up to, and including, 3.5.0

Description The issue is due to a random token generation weakness in the resend verification email function, allowing unauthenticated attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts. This can automatically log the attacker in as the targeted user, including site administrators, if the Allow Automatic Login After Successful Verification setting is enabled. The authenticate user by email function is vulnerable to authentication bypass.

Recommendations For versions up to, and including, 3.5.0, consider disabling the resend verification email function and the Allow Automatic Login After Successful Verification setting until a patch is available. Restrict access to the authenticate user by email function to minimize the risk of exploitation. Update to a version later than 3.5.0 when available.