CVE-2024-9927

HIGH Year: 2024
CVSS v3 Score
7.2
High
Weakness Type
CWE-287
View all →

Vulnerability Description

The WooCommerce Order Proposal plugin for WordPress is vulnerable to privilege escalation via order proposal in all versions up to and including 2.0.5. This is due to the improper implementation of allow_payment_without_login function. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to log in to WordPress as an arbitrary user account, including administrators.

Related Vulnerabilities

CVE-2016-10831

HIGH
CVSS:7.2(High)

cPanel before 55.9999.141 does not perform as two-factor authentication check when possessing another account (SEC-101).

CWE-2872016

CVE-2017-14602

HIGH
CVSS:7.2(High)

A vulnerability has been identified in the management interface of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 10.1 before build 135.18, 10.5 before build 66.9, 10.5e ...

CWE-2872017

CVE-2017-15519

HIGH
CVSS:7.2(High)

Versions of SnapCenter 2.0 through 3.0.1 allow unauthenticated remote attackers to view and modify backup related data via the Plug-in for NAS File Services. All users are urged to move to version 3.0...

CWE-2872017

CVE-2018-0116

HIGH
CVSS:7.2(High)

A vulnerability in the RADIUS authentication module of Cisco Policy Suite could allow an unauthenticated, remote attacker to be authorized as a subscriber without providing a valid password; however, ...

CWE-2872018

CVE-2018-7067

HIGH
CVSS:7.2(High)

A Remote Authentication bypass in Aruba ClearPass Policy Manager leads to complete cluster compromise. An authentication flaw in all versions of ClearPass could allow an attacker to compromise the ent...

CWE-2872018

CVE-2019-14705

HIGH
CVSS:7.2(High)

An Incorrect Access Control issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5 because any valid cookie can be used to make requests as an admin.

CWE-2872019