CVE-2024-8277

Name of the Vulnerable Software and Affected Versions: WooCommerce Photo Reviews Premium plugin for WordPress versions up to, and including, 1.3.13.2

Description: The issue is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as a user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a valid user id as the value.

Recommendations: For versions up to, and including, 1.3.13.2, update the plugin to a version that contains a fix for this issue. As a temporary workaround, consider disabling the login() function until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the user id variable in the affected login process until the issue is resolved.