CVE-2024-8292

Name of the Vulnerable Software and Affected Versions: WP-Recall – Registration, Profile, Commerce & More plugin for WordPress versions up to, and including, 16.26.8

Description: The WP-Recall plugin for WordPress is vulnerable to privilege escalation/account takeover due to improper verification of a user's identity during new order creation. This allows unauthenticated attackers to supply any email through the user email field and update the password for that user during new order creation. The commerce addon must be enabled to exploit this issue.

Recommendations: For WP-Recall – Registration, Profile, Commerce & More plugin for WordPress versions up to, and including, 16.26.8: Update to a version later than 16.26.8 to resolve the issue. As a temporary workaround, consider disabling the commerce addon to minimize the risk of exploitation. Restrict access to the user email field in the new order creation process until the issue is resolved.