Search criteria

1 vulnerability by soisy

CVE-2023-5132 (GCVE-0-2023-5132)

Vulnerability from cvelistv5 – Published: 2023-10-21 01:53 – Updated: 2026-04-08 17:25
VLAI
Title
Soisy Pagamento Rateale <= 6.0.1 - Missing Authorization to Sensitive Information Exposure
Summary
The Soisy Pagamento Rateale plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the parseRemoteRequest function in versions up to, and including, 6.0.1. This makes it possible for unauthenticated attackers with knowledge of an existing WooCommerce Order ID to expose sensitive WooCommerce order information (e.g., Name, Address, Email Address, and other order metadata).
Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
Assigner
References
Impacted products
Vendor Product Version
soisytech Soisy Pagamento Rateale Affected: 0 , ≤ 6.0.1 (semver)
Create a notification for this product.
Credits
Francesco Carlucci
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:44:53.788Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d3c997cd-37b4-4b9c-b99e-397be484aa36?source=cve"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://plugins.trac.wordpress.org/browser/soisy-pagamento-rateale/trunk/public/class-soisy-pagamento-rateale-public.php#L465"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-5132",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-05T18:37:08.241606Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-05T18:59:52.312Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Soisy Pagamento Rateale",
          "vendor": "soisytech",
          "versions": [
            {
              "lessThanOrEqual": "6.0.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Francesco Carlucci"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Soisy Pagamento Rateale plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the parseRemoteRequest function in versions up to, and including, 6.0.1. This makes it possible for unauthenticated attackers with knowledge of an existing WooCommerce Order ID to expose sensitive WooCommerce order information (e.g., Name, Address, Email Address, and other order metadata)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:25:41.662Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d3c997cd-37b4-4b9c-b99e-397be484aa36?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/soisy-pagamento-rateale/trunk/public/class-soisy-pagamento-rateale-public.php#L465"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2979568%40soisy-pagamento-rateale\u0026new=2979568%40soisy-pagamento-rateale\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-09-22T00:00:00.000Z",
          "value": "Discovered"
        },
        {
          "lang": "en",
          "time": "2023-09-22T00:00:00.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2023-10-20T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Soisy Pagamento Rateale \u003c= 6.0.1 - Missing Authorization to Sensitive Information Exposure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2023-5132",
    "datePublished": "2023-10-21T01:53:41.144Z",
    "dateReserved": "2023-09-22T16:20:49.833Z",
    "dateUpdated": "2026-04-08T17:25:41.662Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}