What is this Authorization Bypass vulnerability?

this Authorization Bypass vulnerability is tracked as a Authorization Bypass issue affecting the Plugin WooCommerce Customers Manager.

Which WooCommerce Customers Manager versions are affected?

The primary affected range is Versions before 26.5.

How should operators remediate this Authorization Bypass vulnerability?

Update to 26.5 or newer where that release is compatible with the site.

Vulnerability Report

Plugin High Patch path listed

Woocommerce Customers Manager <= 26.4 - Authenticated Account Creation and Privilege Escalation

The Woocommerce Customers Manager plugin for WordPress is vulnerable to authorization bypass due to a missing capability checks in the user import in versions up to, and including, 26.4. This makes it possible for Subscriber-level attackers to import arbitrary user information to create or update administrative accounts.

Quick Answer

This vulnerability is a high severity with CVSS 8.8 Authorization Bypass issue affecting the Plugin WooCommerce Customers Manager. It affects Versions before 26.5 and is fixed in 26.5.

Back to Feed View Plugin Hub

Published

Feb 24, 2021

Last Updated

Jan 22, 2024

Slug

woocommerce-customers-manager

Risk Profile

8.8 CVSS Score

Weakness

Incorrect Privilege Assignment

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Researchers

John Castro

Operational Summary

What the operator needs to know

Share Email

Patch Status

Patched release is available

Remediation

Update to version 26.5, or a newer patched version

Operator Briefing

the tracked vulnerability is tracked for the Plugin WooCommerce Customers Manager as high severity with CVSS 8.8. The affected range is Versions before 26.5. Update WooCommerce Customers Manager to 26.5 or newer where that version is compatible with the site.

Issue Type

Authorization Bypass

Primary Fixed Version

26.5

Primary Affected Range

Versions before 26.5

Tracking ID

486fa1a6-aa47-4bf9-b1da-582e316f6bcb

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/486fa1a6-aa47-4bf9-b1da-582e316f6bcb?source=api-prod

Detailed Metadata

Software Type	Plugin
Software Slug	woocommerce-customers-manager View on wordpress.org
CVE	No linked CVE entry.
Patched Versions	26.5
Affected Versions	Versions before 26.5

Related CVE Cluster

Related CVEs for WooCommerce Customers Manager

These internal links group the same WordPress plugin by CVE, issue type, severity, and patch status so operators and search engines can connect the full vulnerability cluster.

Critical CVE-2024-0399 29.7 Mar 25, 2024

CVE-2024-0399 WooCommerce Customers Manager SQL Injection

WooCommerce Customers Manager <= 29.6 - Authenticated (Subscriber+) SQL Injection

High CVE-2024-13343 31.4 Jan 31, 2025

CVE-2024-13343 WooCommerce Customers Manager Privilege Escalation

WooCommerce Customers Manager <= 31.3 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

Medium CVE-2024-1747 30.2 Jul 11, 2024

CVE-2024-1747 WooCommerce Customers Manager Stored Cross-Site Scripting

WooCommerce Customers Manager <= 30.1 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

Medium CVE-2024-1743 29.8 Apr 03, 2024

CVE-2024-1743 WooCommerce Customers Manager Cross-Site Scripting

WooCommerce Customers Manager <= 29.7 - Reflected Cross-Site Scripting

Medium CVE-2024-2843 30.1 Jul 11, 2024

CVE-2024-2843 WooCommerce Customers Manager Cross-Site Request Forgery

WooCommerce Customers Manager < 30.1 - Cross-Site Request Forgery to Customer Deletion via 'Delete'

Medium CVE-2024-3983 30.1 Jul 11, 2024

CVE-2024-3983 WooCommerce Customers Manager Cross-Site Request Forgery

WooCommerce Customers Manager < 30.1 - Cross-Site Request Forgery to Customer Deletion

Medium CVE-2024-1756 29.8 Apr 02, 2024

CVE-2024-1756 WooCommerce Customers Manager Vulnerability

WooCommerce Customers Manager <= 29.7 - Missing Authorization to Information Exposure

High 26.6 Mar 30, 2021

WooCommerce Customers Manager Cross-Site Request Forgery

Woocommerce Customers Manager <= 26.5 - Cross-Site Request Forgery to Account Creation

Licensing Notices

This record contains material that is subject to copyright

DEFIANT

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more