CVE-2023-52179

Vulnerability

Overview The Product Expiry for WooCommerce plugin for WordPress versions through 2.5 suffers from a missing authorization vulnerability. This broken access control issue occurs because certain functions lack proper nonce or capability checks, allowing unauthenticated or low-privileged users to execute actions intended for higher-privileged roles [1].

Exploitation

Details This vulnerability is classified as broken access control and is known to be used in mass-exploit campaigns targeting thousands of websites regardless of size [1]. The CVSS score of 5.4 (Medium) reflects the potential for exploitation without complex prerequisites, though the vendor considers it low severity and unlikely to be actively exploited [1].

Impact

An attacker exploiting this flaw can perform unauthorized operations within the plugin, potentially disrupting product expiry settings or accessing sensitive functionality [1]. The exact impact scope depends on the missing authorization check, but it undermines the intended privilege separation.

Mitigation

To remediate, update the plugin to version 2.6 or later, where the authorization check is enforced [1]. Patchstack users can enable auto-updates for vulnerable plugins. For sites unable to update immediately, consult a hosting provider or web developer for assistance [1].