CVE-2024-1718

The Claudio Sanches  Checkout Cielo for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient payment validation in the update_order_status() function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to update the status of orders to paid bypassing payment.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
WordfenceCNA
5.3 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
References
https://plugins.trac.wordpress.org/browser/woocommerce-checkout-cielo/trunk/includes/class-wc-checkout-cielo-gateway.php#L296
https://www.wordfence.com/threat-intel/vulnerabilities/id/40cb3214-a11b-4bee-9422-256d12303460?source=cve
https://plugins.trac.wordpress.org/browser/woocommerce-checkout-cielo/trunk/includes/class-wc-checkout-cielo-gateway.php#L296
https://www.wordfence.com/threat-intel/vulnerabilities/id/40cb3214-a11b-4bee-9422-256d12303460?source=cve