Medium severity5.3NVD Advisory· Published Dec 13, 2024· Updated Apr 28, 2026

CVE-2023-37969

Description

Missing Authorization vulnerability in The African Boss Checkout with Zelle on Woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Checkout with Zelle on Woocommerce: from n/a through 3.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

WordPress/Wc Zelleinferred
Range: <=3.1
Package: https://wordpress.org/plugins/wc-zelle
The African Boss/Checkout with Zelle on Woocommercellm-create
Range: <=3.1

Patches

Vulnerability mechanics

Root cause

"Missing authorization check in administrative endpoints allows unauthenticated attackers to modify plugin settings and order statuses."

Attack vector

An unauthenticated attacker can send crafted HTTP requests to the plugin's admin-ajax or REST endpoints without any authentication or authorization. Because the plugin does not verify that the current user has the required WordPress capabilities (e.g., `manage_options`), the attacker can modify plugin settings, update order statuses, or access sensitive configuration data. This is a classic Missing Authorization vulnerability [CWE-862].

Affected code

The plugin 'Checkout with Zelle on Woocommerce' (wc-zelle) versions through 3.1 fail to perform authorization checks on administrative actions, such as plugin settings and order status updates. The changelog entry for version 3.1–3.1.1 notes that `current_user_can` was replaced with `is_admin` before `plugins_loaded`, indicating that earlier versions lacked proper capability checks.

What the fix does

The patch (visible in the changelog for version 3.1–3.1.1) moves pluggable functions to `plugins_loaded` and replaces the insufficient `is_admin()` check with proper `current_user_can()` capability checks. This ensures that only authenticated users with the appropriate WordPress capabilities (e.g., `manage_options`) can access administrative endpoints, closing the missing authorization gap.

Preconditions

configThe WooCommerce plugin 'Checkout with Zelle on Woocommerce' version 3.1 or earlier must be installed and activated.
authNo authentication or user session is required; the attacker can be completely unauthenticated.
networkThe attacker must be able to send HTTP requests to the WordPress site (network access).
inputThe attacker sends crafted requests to the plugin's administrative endpoints (e.g., AJAX handlers) that lack capability checks.

Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

patchstack.com/database/wordpress/plugin/wc-zelle/vulnerability/wordpress-checkout-with-zelle-on-woocommerce-plugin-3-1-broken-access-control-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000