Login Sign Up

CVE-2023-41240

5.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability allows unauthorized users to access functionality intended only for administrators in the Vark Pricing Deals for WooCommerce WordPress plugin. Attackers could modify pricing rules, create unauthorized deals, or access sensitive plugin settings. All WordPress sites using affected versions of this plugin are vulnerable.

💻 Affected Systems

Products:
  • Vark Pricing Deals for WooCommerce WordPress plugin
Versions: n/a through 2.0.3.2
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with the vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

Pricing Deals For Woocommerce by Varktech

View all CVEs affecting Pricing Deals For Woocommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate product pricing across the entire WooCommerce store, create fraudulent deals, steal customer data, or disrupt e-commerce operations.

🟠

Likely Case

Unauthorized users gain administrative access to the plugin's configuration, allowing them to modify pricing rules and create unauthorized promotional deals.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to the plugin's functionality without compromising the broader WordPress installation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires some WordPress access but not necessarily administrative privileges. The vulnerability is in authorization checks, not authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.3.3 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/pricing-deals-for-woocommerce/wordpress-pricing-deals-for-woocommercepricing-deals-for-woocommerce-plugin-2-0-3-2-broken-access-control-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Pricing Deals for WooCommerce'. 4. Click 'Update Now' if available. 5. If no update appears, download version 2.0.3.3+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate pricing-deals-for-woocommerce

Restrict Access via .htaccess

linux

Block access to plugin admin pages for non-administrators

# Add to .htaccess in WordPress root:
<FilesMatch "pricing-deals.*">
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</FilesMatch>

🧯 If You Can't Patch

  • Implement strict role-based access controls in WordPress
  • Monitor and audit all pricing rule changes in WooCommerce

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Pricing Deals for WooCommerce' version 2.0.3.2 or earlier

Check Version:

wp plugin get pricing-deals-for-woocommerce --field=version

Verify Fix Applied:

Verify plugin version is 2.0.3.3 or later in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to /wp-admin/admin.php?page=pricing-deals
  • Unexpected pricing rule modifications in WooCommerce logs
  • Non-admin users accessing plugin administration pages

Network Indicators:

  • HTTP requests to plugin admin endpoints from unauthorized IPs
  • POST requests to pricing-deals AJAX endpoints without proper authorization headers

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin.php" AND query_string="page=pricing-deals") AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2023-41240
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-862
Published: June 12, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41240, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)