CVE-2023-4924
BEAR <= 1.1.3.3 - Missing Authorization to Product Deletion
The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to missing capability checks on the woobe_bulkoperations_delete function. This makes it possible for authenticated attackers, with subscriber access or higher, to delete products.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Produtos afetados
realmag777 · BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.NetQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php#L344https://plugins.trac.wordpress.org/changeset/2970262/woo-bulk-editor/trunk/ext/bulkoperations/bulkoperations.php?contextall=1&old=2844667&old_path=%2Fwoo-bulk-editor%2Ftrunk%2Fext%2Fbulkoperations%2Fbulkoperations.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/7dfd0246-4265-4dde-8a1e-18b7042eae74?source=cve