Critical severity9.8NVD Advisory· Published Dec 25, 2024· Updated Apr 15, 2026

CVE-2024-11281

Description

The WooCommerce Point of Sale plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0. This is due to insufficient validation on the 'logged_in_user_id' value when option values are empty and the ability for attackers to change the email of arbitrary user accounts. This makes it possible for unauthenticated attackers to change the email of arbitrary user accounts, including administrators, and reset their password to gain access to the account.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

codecanyon.net/item/wordpress-woocommerce-pos-system-point-of-sale/21254976nvd
www.wordfence.com/threat-intel/vulnerabilities/id/2a0671b1-1414-4315-8a2d-bd1aabe091a4nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.003
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000