Vulnerability Details CVE-2019-11807
The WooCommerce Checkout Manager plugin before 4.3 for WordPress allows media deletion via the wp-admin/admin-ajax.php?action=update_attachment_wccm wccm_default_keys_load parameter because of a nopriv_ registration and a lack of capabilities checks.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 50.8%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 6.4
References
- https://wpvulndb.com/vulnerabilities/9262
- https://www.wordfence.com/blog/2019/05/unauthenticated-media-deletion-vulnerability-patched-in-woocommerce-checkout-manager-plugin/
- https://wpvulndb.com/vulnerabilities/9262
- https://www.wordfence.com/blog/2019/05/unauthenticated-media-deletion-vulnerability-patched-in-woocommerce-checkout-manager-plugin/
Products affected by CVE-2019-11807
-
cpe:2.3:a:visser:woocommerce_checkout_manager:*