This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: The `order_info` REST endpoint in bSecure lacks proper authorization checks.β¦
π‘οΈ **Root Cause**: **CWE-862** (Missing Authorization). The flaw lies in the `class-bsecure-checkout.php` file where the REST API endpoint does not verify if the user has the right permissions to access the data. π
Q3Who is affected? (Versions/Components)
π¦ **Affected**: WordPress Plugin **bSecure β Your Universal Checkout**. π **Version**: **1.7.9 and earlier**. π’ **Vendor**: bsecuretech. If you are running an older version, you are at risk!
Q4What can hackers do? (Privileges/Data)
π **Attacker Capabilities**: With **CVSS 9.8 (Critical)**, attackers can achieve: π **High Confidentiality** breach (read sensitive data), π **High Integrity** breach (modify data), and π **High Availability** impact.β¦
π« **Public Exploit**: **No**. The `pocs` field is empty in the provided data. While references exist (WordFence, WordPress Trac), there is no confirmed public Proof-of-Concept (PoC) or widespread wild exploitation yet.β¦
π **Self-Check**: Scan your WordPress site for the **bSecure** plugin. π Check the version number. If it is **β€ 1.7.9**, you are vulnerable.β¦
β **Official Fix**: **Yes**. The vendor (bsecuretech) has acknowledged the issue. π **Action**: Update the plugin to the latest version immediately.β¦
π **No Patch? Workaround**: If you cannot update immediately: π« **Disable** the plugin if not critical. π‘οΈ **Restrict** access to the `/wp-json/` endpoint via WAF (Web Application Firewall).β¦
π₯ **Urgency**: **CRITICAL**. With a **CVSS 9.8** score and **no auth required**, this is a high-priority vulnerability. π **Action**: Patch **IMMEDIATELY**.β¦