CVE-2024-12264

Name of the Vulnerable Software and Affected Versions PayU CommercePro Plugin for WordPress versions up to, and including, 3.8.3

Description The issue is due to the /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost REST API endpoints not properly verifying a user's identity prior to setting the user's ID and auth cookies. This makes it possible for unauthenticated attackers to create new administrative user accounts.

Recommendations For PayU CommercePro Plugin for WordPress versions up to, and including, 3.8.3, consider disabling the /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost API endpoints until a patch is available. Restrict access to these endpoints to minimize the risk of exploitation. Avoid using these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.