CVE-2023-3365

The MultiParcels Shipping For WooCommerce WordPress plugin before 1.14.14 does not have authorisation when deleting shipment, allowing any authenticated users, such as subscriber to delete arbitrary shipment
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
WPScanCNA
---
---
CVEADP
---
---
CISA-ADPADP
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 36%
VendorProductVersion
multiparcelsmultiparcels_shipping_for_woocommerce
𝑥
< 1.14.14
𝑥
= Vulnerable software versions
References
https://wpscan.com/vulnerability/21ce5baa-8085-4053-8d8b-f7d3e2ae70c1
https://wpscan.com/vulnerability/21ce5baa-8085-4053-8d8b-f7d3e2ae70c1