The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers downloaded Woo-Add-To-Carts plugin on the system and created administrative accounts.
Vulnerability details
Vulnerable component:
CVE-ID:
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C
CWE-ID: CWE-284 - Improper Access Control
Description:
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions and inject new fields and scripts into the WooCommerce checkout page.
Note: the vulnerability is being actively exploited in the wild.