Unrated severityNVD Advisory· Published Oct 23, 2024· Updated Apr 8, 2026

WooCommerce Order Proposal <= 2.0.5 - Authenticated (Shop Manager+) Privilege Escalation via Order Proposal

CVE-2024-9927

Description

The WooCommerce Order Proposal plugin for WordPress is vulnerable to privilege escalation via order proposal in all versions up to and including 2.0.5. This is due to the improper implementation of allow_payment_without_login function. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to log in to WordPress as an arbitrary user account, including administrators.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

WooCommerce/Order Proposalllm-create
Range: <=2.0.5
WP Overnight BV/WooCommerce Order Proposalv5
Range: 0
WordPress/Order Proposalwp-canonicalize

Patches

Vulnerability mechanics

References

wpovernight.com/downloads/woocommerce-order-proposal/mitre
www.wordfence.com/threat-intel/vulnerabilities/id/cdc993a4-6f65-4570-811c-13a80dbec064mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000