Login Sign Up

CVE-2024-35662

5.4 MEDIUM
Authentication Bypass

📋 TL;DR

This CVE describes a Missing Authorization vulnerability in the Simple COD Fees for WooCommerce WordPress plugin. It allows unauthorized users to perform administrative actions like modifying plugin settings. All WordPress sites using affected plugin versions are vulnerable.

💻 Affected Systems

Products:
  • Simple COD Fees for WooCommerce WordPress plugin
Versions: All versions up to and including 2.0.2
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress with WooCommerce installed. Vulnerability exists in default plugin configuration.

📦 What is this software?

Simple Cod Fees For Woocommerce by 83pixel

View all CVEs affecting Simple Cod Fees For Woocommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify payment settings, add unauthorized fees to orders, or potentially escalate privileges to compromise the entire WordPress installation.

🟠

Likely Case

Unauthorized users could manipulate COD (Cash on Delivery) fee settings, affecting store pricing and potentially causing financial loss or customer dissatisfaction.

🟢

If Mitigated

With proper authorization controls, only authenticated administrators could modify plugin settings, preventing unauthorized changes.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires some WordPress/WooCommerce knowledge but is straightforward once the vulnerability is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.3 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/simple-cod-fee-for-woocommerce/wordpress-simple-cod-fees-for-woocommerce-plugin-2-0-2-broken-access-control-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Simple COD Fees for WooCommerce'. 4. Click 'Update Now' if available, or download version 2.0.3+ from WordPress repository. 5. Activate the updated plugin.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate simple-cod-fee-for-woocommerce

Restrict Admin Access

all

Limit access to WordPress admin area to trusted IP addresses only

🧯 If You Can't Patch

  • Implement strict access controls to WordPress admin area using IP whitelisting
  • Monitor plugin settings changes and audit logs for unauthorized modifications

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins → Simple COD Fees for WooCommerce version

Check Version:

wp plugin get simple-cod-fee-for-woocommerce --field=version

Verify Fix Applied:

Verify plugin version is 2.0.3 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized POST requests to plugin admin endpoints
  • Changes to COD fee settings from non-admin users

Network Indicators:

  • HTTP requests to /wp-admin/admin.php?page=wc-settings&tab=checkout&section=cod_fee from unauthorized IPs

SIEM Query:

source="wordpress.log" AND ("cod_fee" OR "simple-cod-fee") AND ("POST /wp-admin/" OR "admin.php")

📊 Metadata

CVE ID: CVE-2024-35662
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CWE: CWE-862
Published: June 9, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35662, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)