admin/cve
1
0
Fork 0
mirror of https://github.com/0xMarcio/cve.git synced 2025-11-30 18:56:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
cve/2024/CVE-2024-1747.md

19 lines
1.0 KiB
Markdown
Raw Normal View History

Update CVE sources 2024-08-05 18:41
2024-08-05 18:41:32 +00:00
### [CVE-2024-1747](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1747)
![](https://img.shields.io/static/v1?label=Product&message=WooCommerce%20Customers%20Manager&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=0%3C%2030.2%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-352%20Cross-Site%20Request%20Forgery%20(CSRF)&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-79%20Cross-Site%20Scripting%20(XSS)&color=brighgreen)
### Description
The WooCommerce Customers Manager WordPress plugin before 30.2 does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create customer metadata, also leading to Stored Cross-Site Scripting due to the lack of escaping of said metadata values.
### POC
#### Reference
- https://wpscan.com/vulnerability/17e45d4d-0ee1-4863-a8a4-df8587f448ec/
#### Github
Update CVE sources 2024-08-11 18:44
2024-08-11 18:44:53 +00:00
- https://github.com/20142995/nuclei-templates
Update CVE sources 2024-08-05 18:41
2024-08-05 18:41:32 +00:00
Reference in New Issue Copy Permalink