CVE-2024-7491

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-7491
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.6.1 via the woof_messenger_remove_subscr AJAX action due to missing validation on the 'key' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to unsubscribe users from a product notification sign-ups, if they can successfully obtain or brute force the key value for users who signed up to receive notifications. This vulnerability requires the plugin's Products Messenger extension to be enabled.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3156511%40woocommerce-products-filter&old=3129454%40woocommerce-products-filter&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/daf6b0d5-79a6-4b8f-924e-9e78cb2b5742?source=cve
Configurations

No configuration.

History

26 Sep 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) El complemento HUSKY – Products Filter Professional para WooCommerce para WordPress es vulnerable a la referencia directa a objetos inseguros en todas las versiones hasta la 1.3.6.1 incluida a través de la acción AJAX woof_messenger_remove_subscr debido a la falta de validación en la clave controlada por el usuario 'key'. Esto hace posible que los atacantes autenticados, con acceso de nivel de suscriptor y superior, cancelen la suscripción de los usuarios a las notificaciones de productos, si pueden obtener o forzar con éxito el valor de la clave de los usuarios que se registraron para recibir notificaciones. Esta vulnerabilidad requiere que la extensión Products Messenger del complemento esté habilitada.

25 Sep 2024, 03:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-25 03:15

Updated : 2024-09-26 13:32

NVD link : CVE-2024-7491

Mitre link : CVE-2024-7491

CVE.ORG link : CVE-2024-7491

JSON object : View

Products Affected

No product.

CWE
CWE-862

Missing Authorization