CVE-2024-12432

Name of the Vulnerable Software and Affected Versions WPC Shop as a Customer for WooCommerce plugin for WordPress versions prior to 1.2.9

Description The issue affects the WPC Shop as a Customer for WooCommerce plugin for WordPress, allowing account takeover and privilege escalation. This is due to the generate key function not producing a sufficiently random value. Authenticated attackers with Subscriber-level access and above can log in as site administrators if they have triggered the ajax login() function, which generates a unique key for login.

Recommendations For versions prior to 1.2.9, update to version 1.2.9 or later to resolve the issue. As a temporary workaround, consider disabling the ajax login() function until a patch is available. Restrict access to the generate key function to minimize the risk of exploitation. Avoid using the ajax login() function in the affected plugin until the issue is resolved.