CVE-2024-1756

CWE-352Cross-Site Request Forgery (CSRF)CWE-200Information Exposure3 documents3 sources
Severity
6.5MEDIUM
EPSS
0.1%
top 75.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Woocommerce Customers ManagerVanquish Woocommerce Customers Manager
Timeline
PublishedApr 24

Description

The WooCommerce Customers Manager WordPress plugin before 29.8 does not have authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber, to call it and retrieve the list of customer email addresses along with their id, first name and last name

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

🔴Vulnerability Details

2
GHSA
GHSA-j23h-727c-9qvf: The WooCommerce Customers Manager WordPress plugin before 292024-04-24
CVEList
WooCommerce Customers Manager < 29.8 - Subscriber+ Email Disclosure2024-04-24
CVE-2024-1756 (MEDIUM CVSS 6.5) | The WooCommerce Customers Manager W | cvebase.io