Miggo Logo
Miggo Vulnerability Database
CVE-2020-29156

CVE-2020-29156: WooCommerce Incorrect Authorization

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-29156
GHSA ID
GHSA-wwh8-v3j3-gxfw
EPSS Score
0.93759%
CWE
CWE-863
Published
5/24/2022
Updated
1/10/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
woocommerce/woocommercecomposer< 4.7.04.7.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is related to the 'fetch_order_status' AJAX action. The function handling this action is likely the vulnerable one. Typical WordPress AJAX handling practices suggest a function like 'woocommerce_ajax_fetch_order_status' could be responsible. The exact file path and function name are inferred based on common WooCommerce and WordPress coding practices.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Woo*omm*r** plu*in ***or* *.*.* *or Wor*Pr*ss *llows r*mot* *tt**k*rs to vi*w t** st*tus o* *r*itr*ry or**rs vi* t** `or**r_i*` p*r*m*t*r in * `**t**_or**r_st*tus` **tion.

Reasoning

T** vuln*r**ility is r*l*t** to t** '**t**_or**r_st*tus' *J*X **tion. T** *un*tion **n*lin* t*is **tion is lik*ly t** vuln*r**l* on*. Typi**l Wor*Pr*ss *J*X **n*lin* pr**ti**s su***st * *un*tion lik* 'woo*omm*r**_*j*x_**t**_or**r_st*tus' *oul* ** r*s