CVE-2024-1119
Description
The Order Tip for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_tips_to_csv() function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to export the plugin's order fees.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=1.3.1
Patches
Vulnerability mechanics
Root cause
"Missing capability check in export_tips_to_csv() allows unauthenticated access to order fee data."
Attack vector
An unauthenticated attacker can call the `export_tips_to_csv()` function directly via HTTP request without any authentication [CWE-862]. The function fails to verify the user's capabilities before exporting order fee data, exposing sensitive information about customer tips and donations. The attack requires no special privileges, user interaction, or complex network conditions.
Affected code
The `export_tips_to_csv()` function in the Order Tip for WooCommerce plugin (versions up to and including 1.3.1) lacks a capability check, allowing unauthenticated attackers to export order fee data. The vulnerability was addressed in version 1.4.0 by adding a nonce and checking current user capabilities.
What the fix does
Version 1.4.0 secures the `export_tips_to_csv()` method by adding a capability check and implementing a nonce via `wp_nonce_url()` [ref_id=1]. This ensures only authorized users with proper permissions can export tip data, and the nonce prevents cross-site request forgery attacks. The fix was backported to all versions starting from 1.1.1 where the function was introduced.
Preconditions
- authNo authentication required
- networkNetwork access to the WordPress site
- configThe vulnerable plugin version must be 1.3.1 or earlier
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.