CVE-2024-9189

MEDIUM

EU/UK VAT Manager for WooCommerce <= 2.12.12 - Unauthenticated Data Modification via alg_wc_eu_vat_exempt_vat_from_admin

Title source: llm
STIX 2.1

Description

The EU/UK VAT Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the alg_wc_eu_vat_exempt_vat_from_admin() function in all versions up to, and including, 2.12.12. This makes it possible for unauthenticated attackers to update the VAT status for any order.

Scores

CVSS v3 5.3
EPSS 0.0047
EPSS Percentile 37.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (2)
wpcodefactory/EU/UK VAT Validation Manager for WooCommerce < 2.12.12
wpfactory/eu\/uk_vat_manager_for_woocommerce < 2.12.14
Published Sep 28, 2024
Tracked Since Feb 18, 2026