NVD Vulnerability Detail

CVE-2024-8290

Summary	The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.12 via the WCFM_Customers_Manage_Controller::processing function due to missing validation on the ID user controlled key. This makes it possible for authenticated attackers, with subscriber/customer-level access and above, to change the email address of administrator user accounts which allows them to reset the password and access the administrator account.
Publication Date	Sept. 25, 2024, 4:15 p.m.
Registration Date	Sept. 25, 2024, 8 p.m.
Last Update	Oct. 3, 2024, 3:23 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:wclovers:frontend_manager_for_woocommerce_along_with_bookings_subscription_listings_compatible::::::wordpress::*					6.7.13

Related information, measures and tools

No	URL	タグ
1	https://www.wordfence.com/threat-intel/vulnerabilities/id/79172fe3-c0cf-48c4-8bc5-862c628c1a09?source=cve	Third Party Advisory
2	https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.12/controllers/customers/wcfm-controller-customers-manage.php#L97	Product
3	https://plugins.trac.wordpress.org/changeset/3156433/wc-frontend-manager/trunk/controllers/customers/wcfm-controller-customers-manage.php	Patch

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-639	ユーザ制御の鍵による認証回避	https://cwe.mitre.org/data/definitions/639.html

JVN Vulnerability Information

WC Lovers の WordPress 用 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible におけるユーザ制御の鍵による認証回避に関する脆弱性

Title	WC Lovers の WordPress 用 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible におけるユーザ制御の鍵による認証回避に関する脆弱性
Summary	WC Lovers の WordPress 用 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible には、ユーザ制御の鍵による認証回避に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	Sept. 25, 2024, midnight
Registration Date	Oct. 3, 2024, 9:49 a.m.
Last Update	Oct. 3, 2024, 9:49 a.m.

Affected System

WC Lovers

Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible 6.7.13 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-8290	https://www.cve.org/CVERecord?id=CVE-2024-8290
National Vulnerability Database (NVD)
2	CVE-2024-8290	https://nvd.nist.gov/vuln/detail/CVE-2024-8290

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-639	https://cwe.mitre.org/data/definitions/639.html

その他

No	Name	URL
関連文書
1	plugins.trac.wordpress.org (wcfm-controller-customers-manage.php#L97)	https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.12/controllers/customers/wcfm-controller-customers-manage.php#L97
2	plugins.trac.wordpress.org (wcfm-controller-customers-manage.php)	https://plugins.trac.wordpress.org/changeset/3156433/wc-frontend-manager/trunk/controllers/customers/wcfm-controller-customers-manage.php
3	www.wordfence.com (79172fe3-c0cf-48c4-8bc5-862c628c1a09?source=cve)	https://www.wordfence.com/threat-intel/vulnerabilities/id/79172fe3-c0cf-48c4-8bc5-862c628c1a09?source=cve

Change Log

No	Changed Details	Date of change
1	[2024年10月03日] 掲載	Oct. 3, 2024, 9:49 a.m.