Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for Customer Email Verification for WooCommerce by wpcodefactory

    CVE-2024-13525 (GCVE-0-2024-13525)

    Vulnerability from nvd – Published: 2025-02-15 08:25 – Updated: 2026-04-08 17:13
    VLAI
    Title
    Customer Email Verification for WooCommerce <= 2.9.4 - Authenticated (Contributor+) Sensitive Information Exposure
    Summary
    The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via Shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including emails as well as hashed passwords of any user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13525",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-18T21:14:34.485248Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-18T21:14:45.547Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Customer Email Verification for WooCommerce",
              "vendor": "wpcodefactory",
              "versions": [
                {
                  "lessThanOrEqual": "2.9.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via Shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including emails as well as hashed passwords of any user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:13:26.664Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a63a41d1-b9b0-43a9-a6e0-761f3b8d9d4a?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.9.2/includes/class-alg-wc-ev-core.php#L990"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3232261%40emails-verification-for-woocommerce%2Ftrunk\u0026old=3230854%40emails-verification-for-woocommerce%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-02-14T20:00:38.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Customer Email Verification for WooCommerce \u003c= 2.9.4 - Authenticated (Contributor+) Sensitive Information Exposure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-13525",
        "datePublished": "2025-02-15T08:25:06.554Z",
        "dateReserved": "2025-01-17T21:44:08.330Z",
        "dateUpdated": "2026-04-08T17:13:26.664Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-13528 (GCVE-0-2024-13528)

    Vulnerability from nvd – Published: 2025-02-12 09:22 – Updated: 2026-04-08 16:34
    VLAI
    Title
    Customer Email Verification for WooCommerce <= 2.9.5 - Authentication Bypass via Shortcode
    Summary
    The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.9.5. This is due to the presence of a shortcode that will generate a confirmation link with a placeholder email. This makes it possible for authenticated attackers, with Contributor-level access and above, to generate a verification link for any unverified user and log into the account. The 'Fine tune placement' option must be enabled in the plugin settings in order to exploit the vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13528",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-12T14:37:39.130792Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T14:38:45.364Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Customer Email Verification for WooCommerce",
              "vendor": "wpcodefactory",
              "versions": [
                {
                  "lessThanOrEqual": "2.9.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.9.5. This is due to the presence of a shortcode that will generate a confirmation link with a placeholder email. This makes it possible for authenticated attackers, with Contributor-level access and above, to generate a verification link for any unverified user and log into the account. The \u0027Fine tune placement\u0027 option must be enabled in the plugin settings in order to exploit the vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:34:49.661Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b3798e3-45fe-4829-9012-dc728d4af87f?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.9.2/includes/class-alg-wc-ev-emails.php#L151"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3238136/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-02-11T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Customer Email Verification for WooCommerce \u003c= 2.9.5 - Authentication Bypass via Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-13528",
        "datePublished": "2025-02-12T09:22:47.776Z",
        "dateReserved": "2025-01-17T23:24:53.274Z",
        "dateUpdated": "2026-04-08T16:34:49.661Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4185 (GCVE-0-2024-4185)

    Vulnerability from nvd – Published: 2024-04-30 08:32 – Updated: 2026-04-08 17:31
    VLAI
    Title
    Customer Email Verification for WooCommerce <= 2.7.4 - Email Verification and Authentication Bypass due to Insufficient Randomness
    Summary
    The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Email Verification and Authentication Bypass in all versions up to, and including, 2.7.4 via the use of insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification, and if both the "Login the user automatically after the account is verified" and "Verify account for current users" options are checked, then it potentially makes it possible for attackers to bypass authentication for other users.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-330 - Use of Insufficiently Random Values
    Assigner
    Impacted products
    Vendor Product Version
    wpcodefactory Customer Email Verification for WooCommerce Affected: 0 , ≤ 2.7.4 (semver)
    Create a notification for this product.
    wpfactory customer_email_verification_for_woocommerce Affected: 0 , ≤ 2.7.4 (custom)
        cpe:2.3:a:wpfactory:customer_email_verification_for_woocommerce:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wpfactory:customer_email_verification_for_woocommerce:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "customer_email_verification_for_woocommerce",
                "vendor": "wpfactory",
                "versions": [
                  {
                    "lessThanOrEqual": "2.7.4",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4185",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-02T16:51:56.560610Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-02T20:06:07.808Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:33:52.503Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ebae4b18-5b5f-45c3-86e2-02eefd7abdb7?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.7.4/includes/alg-wc-ev-functions.php#L299"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.7.4/includes/class-alg-wc-ev-core.php#L731"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3078804/emails-verification-for-woocommerce#file2"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Customer Email Verification for WooCommerce",
              "vendor": "wpcodefactory",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Email Verification and Authentication Bypass in all versions up to, and including, 2.7.4 via the use of insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification, and if both the \"Login the user automatically after the account is verified\" and \"Verify account for current users\" options are checked, then it potentially makes it possible for attackers to bypass authentication for other users."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-330",
                  "description": "CWE-330 Use of Insufficiently Random Values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:31:15.707Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ebae4b18-5b5f-45c3-86e2-02eefd7abdb7?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.7.4/includes/alg-wc-ev-functions.php#L299"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.7.4/includes/class-alg-wc-ev-core.php#L731"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3078804/emails-verification-for-woocommerce#file2"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-24T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2024-04-24T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-04-29T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Customer Email Verification for WooCommerce \u003c= 2.7.4 - Email Verification and Authentication Bypass due to Insufficient Randomness"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-4185",
        "datePublished": "2024-04-30T08:32:23.492Z",
        "dateReserved": "2024-04-25T14:28:40.021Z",
        "dateUpdated": "2026-04-08T17:31:15.707Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-13525 (GCVE-0-2024-13525)

    Vulnerability from cvelistv5 – Published: 2025-02-15 08:25 – Updated: 2026-04-08 17:13
    VLAI
    Title
    Customer Email Verification for WooCommerce <= 2.9.4 - Authenticated (Contributor+) Sensitive Information Exposure
    Summary
    The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via Shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including emails as well as hashed passwords of any user.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13525",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-18T21:14:34.485248Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-18T21:14:45.547Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Customer Email Verification for WooCommerce",
              "vendor": "wpcodefactory",
              "versions": [
                {
                  "lessThanOrEqual": "2.9.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via Shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including emails as well as hashed passwords of any user."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:13:26.664Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a63a41d1-b9b0-43a9-a6e0-761f3b8d9d4a?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.9.2/includes/class-alg-wc-ev-core.php#L990"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3232261%40emails-verification-for-woocommerce%2Ftrunk\u0026old=3230854%40emails-verification-for-woocommerce%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-02-14T20:00:38.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Customer Email Verification for WooCommerce \u003c= 2.9.4 - Authenticated (Contributor+) Sensitive Information Exposure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-13525",
        "datePublished": "2025-02-15T08:25:06.554Z",
        "dateReserved": "2025-01-17T21:44:08.330Z",
        "dateUpdated": "2026-04-08T17:13:26.664Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-13528 (GCVE-0-2024-13528)

    Vulnerability from cvelistv5 – Published: 2025-02-12 09:22 – Updated: 2026-04-08 16:34
    VLAI
    Title
    Customer Email Verification for WooCommerce <= 2.9.5 - Authentication Bypass via Shortcode
    Summary
    The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.9.5. This is due to the presence of a shortcode that will generate a confirmation link with a placeholder email. This makes it possible for authenticated attackers, with Contributor-level access and above, to generate a verification link for any unverified user and log into the account. The 'Fine tune placement' option must be enabled in the plugin settings in order to exploit the vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-13528",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-12T14:37:39.130792Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T14:38:45.364Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Customer Email Verification for WooCommerce",
              "vendor": "wpcodefactory",
              "versions": [
                {
                  "lessThanOrEqual": "2.9.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.9.5. This is due to the presence of a shortcode that will generate a confirmation link with a placeholder email. This makes it possible for authenticated attackers, with Contributor-level access and above, to generate a verification link for any unverified user and log into the account. The \u0027Fine tune placement\u0027 option must be enabled in the plugin settings in order to exploit the vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:34:49.661Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b3798e3-45fe-4829-9012-dc728d4af87f?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.9.2/includes/class-alg-wc-ev-emails.php#L151"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3238136/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-02-11T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Customer Email Verification for WooCommerce \u003c= 2.9.5 - Authentication Bypass via Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-13528",
        "datePublished": "2025-02-12T09:22:47.776Z",
        "dateReserved": "2025-01-17T23:24:53.274Z",
        "dateUpdated": "2026-04-08T16:34:49.661Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4185 (GCVE-0-2024-4185)

    Vulnerability from cvelistv5 – Published: 2024-04-30 08:32 – Updated: 2026-04-08 17:31
    VLAI
    Title
    Customer Email Verification for WooCommerce <= 2.7.4 - Email Verification and Authentication Bypass due to Insufficient Randomness
    Summary
    The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Email Verification and Authentication Bypass in all versions up to, and including, 2.7.4 via the use of insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification, and if both the "Login the user automatically after the account is verified" and "Verify account for current users" options are checked, then it potentially makes it possible for attackers to bypass authentication for other users.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-330 - Use of Insufficiently Random Values
    Assigner
    Impacted products
    Vendor Product Version
    wpcodefactory Customer Email Verification for WooCommerce Affected: 0 , ≤ 2.7.4 (semver)
    Create a notification for this product.
    wpfactory customer_email_verification_for_woocommerce Affected: 0 , ≤ 2.7.4 (custom)
        cpe:2.3:a:wpfactory:customer_email_verification_for_woocommerce:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    István Márton
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:wpfactory:customer_email_verification_for_woocommerce:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "customer_email_verification_for_woocommerce",
                "vendor": "wpfactory",
                "versions": [
                  {
                    "lessThanOrEqual": "2.7.4",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4185",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-02T16:51:56.560610Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-02T20:06:07.808Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:33:52.503Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ebae4b18-5b5f-45c3-86e2-02eefd7abdb7?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.7.4/includes/alg-wc-ev-functions.php#L299"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.7.4/includes/class-alg-wc-ev-core.php#L731"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3078804/emails-verification-for-woocommerce#file2"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Customer Email Verification for WooCommerce",
              "vendor": "wpcodefactory",
              "versions": [
                {
                  "lessThanOrEqual": "2.7.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Istv\u00e1n M\u00e1rton"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Email Verification and Authentication Bypass in all versions up to, and including, 2.7.4 via the use of insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification, and if both the \"Login the user automatically after the account is verified\" and \"Verify account for current users\" options are checked, then it potentially makes it possible for attackers to bypass authentication for other users."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-330",
                  "description": "CWE-330 Use of Insufficiently Random Values",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:31:15.707Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ebae4b18-5b5f-45c3-86e2-02eefd7abdb7?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.7.4/includes/alg-wc-ev-functions.php#L299"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/emails-verification-for-woocommerce/tags/2.7.4/includes/class-alg-wc-ev-core.php#L731"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3078804/emails-verification-for-woocommerce#file2"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-24T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2024-04-24T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-04-29T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Customer Email Verification for WooCommerce \u003c= 2.7.4 - Email Verification and Authentication Bypass due to Insufficient Randomness"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-4185",
        "datePublished": "2024-04-30T08:32:23.492Z",
        "dateReserved": "2024-04-25T14:28:40.021Z",
        "dateUpdated": "2026-04-08T17:31:15.707Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }