漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
MyParcel <= 4.25.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Shipment Data Disclosure and Modification via wcmp_get_shipment_options and wcmp_save_shipment_options AJAX Actions
Vulnerability Description
The MyParcel plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.25.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view and modify shipment options — including carrier, delivery type, package type, number of labels, weight, signature requirement, and insurance — on any arbitrary order.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Vulnerability Type
授权机制缺失
Vulnerability Title
WordPress MyParcel 授权问题漏洞
Vulnerability Description
WordPress MyParcel是WordPress基金会的一款面向WooCommerce的开源物流插件。 WordPress MyParcel 4.25.1及之前版本存在授权问题漏洞,该漏洞源于插件未正确验证用户授权,可能导致经过身份验证的攻击者(至少拥有订阅者级别权限)查看和修改任意订单的运输选项。
CVSS Information
N/A
Vulnerability Type
N/A