CVE-2024-4185 Information

Description

The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Email Verification and Authentication Bypass in all versions up to and including 2.7.4 via the use of insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification and if both the \Login the user automatically after the account is verified\ and \Verify account for current users\ options are checked then it potentially makes it possible for attackers to bypass authentication for other users.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://www.wordfence.com/threat-intel/vulnerabilities/id/ebae4b18-5b5f-45c3-86e2-02eefd7abdb7?source=cve https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.7.4/includes/alg-wc-ev-functions.php#L299 https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.7.4/includes/class-alg-wc-ev-core.php#L731 https://plugins.trac.wordpress.org/changeset/3078804/emails-verification-for-woocommerce#file2

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.1