CVE-2023-28121

Published Apr 12, 2023

Last updated a year ago

Overview

Description: An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.
Source: support@hackerone.com
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

nvd@nist.gov: CWE-287
support@hackerone.com: CWE-287

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:automattic:woocommerce_payments:*:*:*:*:*:wordpress:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FE70E8AE-CFBB-4575-A340-DBD17C3CE853",
            "versionEndExcluding": "4.8.2",
            "versionStartIncluding": "4.8.0"
          },
          {
            "criteria": "cpe:2.3:a:automattic:woocommerce_payments:*:*:*:*:*:wordpress:*:*",
            "vulnerable": true,
            "matchCriteriaId": "519111D8-D787-4B95-91F3-9FCFF17723C3",
            "versionEndExcluding": "5.0.4",
            "versionStartIncluding": "5.0.0"
          },
          {
            "criteria": "cpe:2.3:a:automattic:woocommerce_payments:*:*:*:*:*:wordpress:*:*",
            "vulnerable": true,
            "matchCriteriaId": "47F55EC1-8DE8-4BB8-9D92-23510CB191FF",
            "versionEndExcluding": "5.1.3",
            "versionStartIncluding": "5.1.0"
          },
          {
            "criteria": "cpe:2.3:a:automattic:woocommerce_payments:*:*:*:*:*:wordpress:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0D29E155-A3A0-446A-A414-B3CC66D6450B",
            "versionEndExcluding": "5.2.2",
            "versionStartIncluding": "5.2.0"
          },
          {
            "criteria": "cpe:2.3:a:automattic:woocommerce_payments:*:*:*:*:*:wordpress:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8AF27AE4-B382-4293-9E7A-1A06769DFF1D",
            "versionEndExcluding": "5.5.2",
            "versionStartIncluding": "5.5.0"
          },
          {
            "criteria": "cpe:2.3:a:automattic:woopayments:*:*:*:*:*:wordpress:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AEB22CB8-53ED-4073-ADA9-8C87B4F0176F",
            "versionEndExcluding": "5.6.2",
            "versionStartIncluding": "5.6.0"
          },
          {
            "criteria": "cpe:2.3:a:automattic:woopayments:4.9.0:*:*:*:*:wordpress:*:*",
            "vulnerable": true,
            "matchCriteriaId": "08275EF1-5695-4CC4-A4B9-8D5429C37DB1"
          },
          {
            "criteria": "cpe:2.3:a:automattic:woopayments:5.3.0:*:*:*:*:wordpress:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A4D5E491-B3BB-4D91-9DD6-845A35833F20"
          },
          {
            "criteria": "cpe:2.3:a:automattic:woopayments:5.4.0:*:*:*:*:wordpress:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0D756027-30C4-443C-8421-62D6EFA8B2C3"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References