CVE-2024-37201
📋 TL;DR
This CVE describes a Missing Authorization vulnerability in the Woocommerce Customers Order History WordPress plugin that allows attackers to bypass access controls. It affects all versions up to 5.2.2, potentially exposing customer order history data to unauthorized users.
💻 Affected Systems
- Woocommerce Customers Order History WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unauthenticated attackers could access sensitive customer order history data including personal information, order details, and potentially payment information if stored.
Likely Case
Attackers with basic WordPress user accounts could escalate privileges to view customer order data they shouldn't have access to.
If Mitigated
With proper access controls and authentication checks, only authorized administrators can view customer order history.
🎯 Exploit Status
Exploitation likely requires at least some WordPress user access, but specific authorization checks are missing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find 'Woocommerce Customers Order History'
4. Click 'Update Now' if available
5. Alternatively, download version 5.2.3+ from WordPress repository
6. Deactivate, delete old version, upload new version, activate
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate woo-customers-order-history
Restrict Access via .htaccess
linuxAdd access restrictions to plugin directories
Order deny,allow
Deny from all
🧯 If You Can't Patch
- Implement additional access control layer via WordPress roles/capabilities
- Monitor access logs for unauthorized attempts to access customer order data
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Woocommerce Customers Order History versionCheck Version:
wp plugin get woo-customers-order-history --field=versionVerify Fix Applied:
Verify plugin version is 5.2.3 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to customer order history endpoints
- Multiple failed authorization checks for order data
Network Indicators:
- Unusual requests to /wp-content/plugins/woo-customers-order-history/ endpoints
SIEM Query:
source="wordpress" AND (uri_path="*woo-customers-order-history*" OR plugin="woo-customers-order-history") AND (user_role!="administrator" OR auth_failure="true")