CVE-2024-10711

Name of the Vulnerable Software and Affected Versions WooCommerce Report plugin for WordPress versions up to, and including, 1.5.1

Description The WooCommerce Report plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update arbitrary options that can be leveraged for privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Recommendations For versions up to, and including, 1.5.1, update to version 1.5.2 to secure your site. As a temporary workaround, consider restricting access to the settings update functionality until a patch is available. Avoid using the vulnerable settings update functionality in the affected plugin until the issue is resolved.