CVE-2024-1639

Name of the Vulnerable Software and Affected Versions License Manager for WooCommerce plugin for WordPress versions up to, and including, 3.0.7

Description The issue is related to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions. This allows authenticated attackers with admin dashboard access to view arbitrary decrypted license keys. The functions contain a referrer nonce check, but these can be retrieved via the dashboard through the license JS variable.

Recommendations For versions up to, and including, 3.0.7, consider disabling the showLicenseKey() and showAllLicenseKeys() functions until a patch is available. Restrict access to the License Manager for WooCommerce plugin to minimize the risk of exploitation. Avoid using the license JS variable in the affected dashboard area until the issue is resolved.