CVE-2024-12826
Description
The GoHero Store Customizer for WooCommerce plugin ≤3.5 lacks a capability check, letting unauthenticated attackers modify limited plugin settings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The GoHero Store Customizer for WooCommerce plugin ≤3.5 lacks a capability check, letting unauthenticated attackers modify limited plugin settings.
Root
Cause
The GoHero Store Customizer for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wooh_action_settings_save_frontend() function in all versions up to, and including, 3.5 [1]. This function, accessible without authentication, allows updating plugin settings without verifying the user's permissions.
Exploitation
An unauthenticated attacker can exploit this by sending a crafted request to the vulnerable endpoint. The attack requires no authentication or prior knowledge, and can be performed remotely over the network [1].
Impact
Successful exploitation enables an unauthenticated attacker to update certain plugin settings. While the attacker cannot modify all settings, they can alter limited configuration options, potentially leading to minor adjustments in plugin behavior [1].
Mitigation
Versions up to and including 3.5 are affected. As of January 25, 2025, a patched version has not been released. Users are advised to update the plugin once a fix becomes available or to implement additional access controls as a workaround [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.