CVE-2024-11281

Name of the Vulnerable Software and Affected Versions WooCommerce Point of Sale plugin for WordPress versions up to, and including, 6.1.0

Description The issue is due to insufficient validation on the logged in user id value when option values are empty, allowing attackers to change the email of arbitrary user accounts. This makes it possible for unauthenticated attackers to change the email of arbitrary user accounts, including administrators, and reset their password to gain access to the account.

Recommendations For versions up to, and including, 6.1.0, upgrade to version 6.2.0 or later to mitigate this risk. As a temporary workaround, consider restricting access to user account management features until the issue is resolved. Avoid using the logged in user id value in sensitive operations until the issue is fixed.