CVE-2023-0865
📋 TL;DR
This vulnerability in the WooCommerce Multiple Customer Addresses & Shipping WordPress plugin allows any authenticated user (even low-privilege subscribers) to access, modify, duplicate, or delete other users' addresses. It affects WordPress sites using vulnerable versions of this plugin, potentially exposing customer data and enabling unauthorized changes.
💻 Affected Systems
- WooCommerce Multiple Customer Addresses & Shipping WordPress plugin
📦 What is this software?
Woocommerce Multiple Customer Addresses \& Shipping by Woocommerce Multiple Customer Addresses \& Shipping Project
View all CVEs affecting Woocommerce Multiple Customer Addresses \& Shipping →
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access, modify, or delete all customer address data, potentially enabling identity theft, fraud, or further attacks by gathering sensitive information about users.
Likely Case
Authenticated attackers accessing and modifying other users' addresses, potentially disrupting orders, harvesting personal data, or causing service issues.
If Mitigated
Limited to authenticated users only, with proper access controls preventing unauthorized data access.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. Public proof-of-concept exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.7 and later
Vendor Advisory: https://wpscan.com/vulnerability/e39c0171-ed4a-4143-9a31-c407e3555eec
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WooCommerce Multiple Customer Addresses & Shipping'. 4. Click 'Update Now' if available, or manually update to version 21.7+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the plugin until patched
wp plugin deactivate woocommerce-multiple-addresses
Restrict user registration
allTemporarily disable new user registration to limit attack surface
wp option update users_can_register 0
🧯 If You Can't Patch
- Implement web application firewall rules to block suspicious address manipulation requests
- Enable detailed logging of all address-related operations and monitor for unauthorized access patterns
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is below 21.7, you are vulnerable.Check Version:
wp plugin get woocommerce-multiple-addresses --field=versionVerify Fix Applied:
Confirm plugin version is 21.7 or higher in WordPress admin panel. Test with low-privilege user attempting to access other users' addresses.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts for address operations
- User accessing/modifying addresses not belonging to them
- Unusual address modification patterns from low-privilege accounts
Network Indicators:
- POST requests to address endpoints from unauthorized users
- Unusual API calls to user address management functions
SIEM Query:
source="wordpress.log" AND ("add_address" OR "update_address" OR "delete_address") AND user_role="subscriber"