CVE-2024-1718

EUVD-2024-17452
The Claudio Sanches – Checkout Cielo for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient payment validation in the update_order_status() function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to update the status of orders to paid bypassing payment.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
WordfenceCNA
5.3 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
References
https://plugins.trac.wordpress.org/browser/woocommerce-checkout-cielo/trunk/includes/class-wc-checkout-cielo-gateway.php#L296
https://www.wordfence.com/threat-intel/vulnerabilities/id/40cb3214-a11b-4bee-9422-256d12303460?source=cve
https://plugins.trac.wordpress.org/browser/woocommerce-checkout-cielo/trunk/includes/class-wc-checkout-cielo-gateway.php#L296
https://www.wordfence.com/threat-intel/vulnerabilities/id/40cb3214-a11b-4bee-9422-256d12303460?source=cve