← voltar
CVE-2024-13719

PeproDev Ultimate Invoice <= 2.0.9 - Insecure Direct Object Reference to Unauthenticated Order Information Exposure

CVSS 5.3 MEDIUMEPSS 0.4%CWE-862
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 5.3EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
19 fev 2025Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
The PeproDev Ultimate Invoice plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.9 via the invoicing viewer due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view invoices for completed orders which can contain PII of users.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Produtos afetados
peprodev · PeproDev Ultimate Invoice

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3244844%40pepro-ultimate-invoice&new=3244844%40pepro-ultimate-invoice&sfp_email=&sfph_mail=https://wordpress.org/plugins/pepro-ultimate-invoice/https://www.wordfence.com/threat-intel/vulnerabilities/id/46186f8d-e50c-476a-9480-b6121412474a?source=cve