The ShopWP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST API routes in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to call the endpoints and perform unauthorized actions such as updating the plugin's settings and injecting malicious scripts.
Metrics
Affected Vendors & Products
References
History
Wed, 16 Oct 2024 18:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Shopwp
Shopwp shopwp |
|
CPEs | cpe:2.3:a:shopwp:shopwp:*:*:*:*:*:*:*:* | |
Vendors & Products |
Shopwp
Shopwp shopwp |
|
Metrics |
ssvc
|
Wed, 16 Oct 2024 07:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The ShopWP plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST API routes in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to call the endpoints and perform unauthorized actions such as updating the plugin's settings and injecting malicious scripts. | |
Title | ShopWP <= 2.0.4 - Missing Authorization to Stored Cross-Site Scripting | |
Weaknesses | CWE-862 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2024-10-16T18:03:06.895Z
Reserved: 2024-10-15T17:43:51.693Z
Link: CVE-2019-25214

Updated: 2024-10-16T17:35:28.219Z

Status : Awaiting Analysis
Published: 2024-10-16T07:15:06.153
Modified: 2024-10-16T16:38:14.557
Link: CVE-2019-25214

No data.