HomeDefault status
unaffected
5.4.0 (semver) before 5.4.4
affected
5.5.0 (semver) before 5.4.5
affected
5.6.0 (semver) before 5.6.3
affected
5.7.0 (semver) before 5.7.3
affected
5.8.0 (semver) before 5.8.2
affected
5.9.0 (semver) before 5.9.2
affected
6.0.0 (semver) before 6.0.2
affected
6.1.0 (semver) before 6.1.3
affected
6.2.0 (semver) before 6.2.3
affected
6.3.0 (semver) before 6.3.2
affected
6.4.0 (semver) before 6.4.2
affected
6.5.0 (semver) before 6.5.2
affected
6.6.0 (semver) before 6.6.2
affected
6.7.0 (semver) before 6.7.1
affected
6.8.0 (semver) before 6.8.3
affected
6.9.0 (semver) before 6.9.5
affected
7.0.0 (semver) before 7.0.2
affected
7.1.0 (semver) before 7.1.2
affected
7.2.0 (semver) before 7.2.4
affected
7.3.0 (semver) before 7.3.1
affected
7.4.0 (semver) before 7.4.2
affected
7.5.0 (semver) before 7.5.2
affected
7.6.0 (semver) before 7.6.2
affected
7.7.0 (semver) before 7.7.3
affected
7.8.0 (semver) before 7.8.4
affected
7.9.0 (semver) before 7.9.2
affected
8.0.0 (semver) before 8.0.5
affected
8.1.0 (semver) before 8.1.4
affected
8.2.0 (semver) before 8.2.5
affected
8.3.0 (semver) before 8.3.4
affected
8.4.0 (semver) before 8.4.3
affected
8.5.0 (semver) before 8.5.5
affected
8.6.0 (semver) before 8.6.4
affected
8.7.0 (semver) before 8.7.3
affected
8.8.0 (semver) before 8.8.7
affected
8.9.0 (semver) before 8.9.5
affected
9.0.0 (semver) before 9.0.4
affected
9.1.0 (semver) before 9.1.7
affected
9.2.0 (semver) before 9.2.5
affected
9.3.0 (semver) before 9.3.6
affected
9.4.0 (semver) before 9.4.5
affected
9.5.0 (semver) before 9.5.4
affected
9.6.0 (semver) before 9.6.4
affected
9.7.0 (semver) before 9.7.3
affected
9.8.0 (semver) before 9.8.7
affected
9.9.0 (semver) before 9.9.7
affected
10.0.0 (semver) before 10.0.6
affected
10.1.0 (semver) before 10.1.4
affected
10.2.0 (semver) before 10.2.4
affected
10.3.0 (semver) before 10.3.8
affected
10.4.0 (semver) before 10.4.4
affected
10.5.0 (semver) before 10.5.3
affected
Description
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
Problem types
CWE-352 Cross-Site Request Forgery (CSRF)
Product status
5.4.0 (semver) before 5.4.4
5.5.0 (semver) before 5.4.5
5.6.0 (semver) before 5.6.3
5.7.0 (semver) before 5.7.3
5.8.0 (semver) before 5.8.2
5.9.0 (semver) before 5.9.2
6.0.0 (semver) before 6.0.2
6.1.0 (semver) before 6.1.3
6.2.0 (semver) before 6.2.3
6.3.0 (semver) before 6.3.2
6.4.0 (semver) before 6.4.2
6.5.0 (semver) before 6.5.2
6.6.0 (semver) before 6.6.2
6.7.0 (semver) before 6.7.1
6.8.0 (semver) before 6.8.3
6.9.0 (semver) before 6.9.5
7.0.0 (semver) before 7.0.2
7.1.0 (semver) before 7.1.2
7.2.0 (semver) before 7.2.4
7.3.0 (semver) before 7.3.1
7.4.0 (semver) before 7.4.2
7.5.0 (semver) before 7.5.2
7.6.0 (semver) before 7.6.2
7.7.0 (semver) before 7.7.3
7.8.0 (semver) before 7.8.4
7.9.0 (semver) before 7.9.2
8.0.0 (semver) before 8.0.5
8.1.0 (semver) before 8.1.4
8.2.0 (semver) before 8.2.5
8.3.0 (semver) before 8.3.4
8.4.0 (semver) before 8.4.3
8.5.0 (semver) before 8.5.5
8.6.0 (semver) before 8.6.4
8.7.0 (semver) before 8.7.3
8.8.0 (semver) before 8.8.7
8.9.0 (semver) before 8.9.5
9.0.0 (semver) before 9.0.4
9.1.0 (semver) before 9.1.7
9.2.0 (semver) before 9.2.5
9.3.0 (semver) before 9.3.6
9.4.0 (semver) before 9.4.5
9.5.0 (semver) before 9.5.4
9.6.0 (semver) before 9.6.4
9.7.0 (semver) before 9.7.3
9.8.0 (semver) before 9.8.7
9.9.0 (semver) before 9.9.7
10.0.0 (semver) before 10.0.6
10.1.0 (semver) before 10.1.4
10.2.0 (semver) before 10.2.4
10.3.0 (semver) before 10.3.8
10.4.0 (semver) before 10.4.4
10.5.0 (semver) before 10.5.3
Credits
oolongeya
References
wpscan.com/...rability/53ded097-274d-4850-82ee-620bf02f7553/
developer.woocommerce.com/...ity-patched-in-woocommerce-5-4/