PT-2024-10745 · WordPress · Wp Shop
Published
2024-10-15
·
Updated
2024-10-21
·
CVE-2019-25214
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
ShopWP plugin for WordPress versions up to, and including, 2.0.4
Description
The ShopWP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST API routes. This makes it possible for unauthenticated attackers to call the endpoints and perform unauthorized actions such as updating the plugin's settings and injecting malicious scripts.
Recommendations
For versions up to, and including, 2.0.4, update the plugin to the latest version to mitigate risks. As a temporary workaround, consider restricting access to the vulnerable REST API routes until a patch is available.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Shop