WordPress WooCommerce Conversion Tracking plugin <= 2.0.11 - Broken Access Control vulnerability

Vulnerability

The WooCommerce Conversion Tracking plugin by weDevs contains a Missing Authorization vulnerability in versions from n/a through 2.0.11 [1]. This flaw occurs in the plugin's administrative or API endpoints where proper capability checks are missing, allowing unauthenticated or low-privileged users to access sensitive functionality.

Exploitation

An attacker can exploit this vulnerability by sending crafted requests to the vulnerable endpoints without needing any authentication or with minimal privileges. No user interaction is required. The exact attack vector is not detailed in the available references, but the missing authorization suggests that the plugin fails to verify user permissions before executing certain actions.

Impact

Successful exploitation could allow an attacker to modify conversion tracking settings, inject malicious tracking codes, or access sensitive configuration data. This could lead to data integrity compromise and potential information disclosure.

Mitigation

The vulnerability is fixed in versions after 2.0.11. Users should update to the latest version (2.1.5 as of the reference [1]) to remediate the issue. No workarounds are documented in the available references.