Vulnerability Description
An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Automattic | Woocommerce Payments | >= 4.8.0, < 4.8.2 |
| Automattic | Woopayments | >= 5.6.0, < 5.6.2 |
Related Weaknesses (CWE)
References
- https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-Vendor Advisory
- https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a
- https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-Vendor Advisory
- https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a
FAQ
What is CVE-2023-28121?
CVE-2023-28121 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a re...
How severe is CVE-2023-28121?
CVE-2023-28121 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-28121?
Check the references section above for vendor advisories and patch information. Affected products include: Automattic Woocommerce Payments, Automattic Woopayments.