An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.

The WooCommerce Payments Plugin installed on the remote host is affected by an authentication bypass vulnerability.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
114040	WooCommerce Payments Plugin for WordPress 4.8.x < 4.8.2 Authentication Bypass	Web App Scanning	Component Vulnerability	critical
114039	WooCommerce Payments Plugin for WordPress 4.9.x < 4.9.1 Authentication Bypass	Web App Scanning	Component Vulnerability	critical
114038	WooCommerce Payments Plugin for WordPress 5.0.x < 5.0.4 Authentication Bypass	Web App Scanning	Component Vulnerability	critical
114037	WooCommerce Payments Plugin for WordPress 5.1.x < 5.1.3 Authentication Bypass	Web App Scanning	Component Vulnerability	critical
114036	WooCommerce Payments Plugin for WordPress 5.2.x < 5.2.2 Authentication Bypass	Web App Scanning	Component Vulnerability	critical
114035	WooCommerce Payments Plugin for WordPress 5.3.x < 5.3.1 Authentication Bypass	Web App Scanning	Component Vulnerability	critical
114034	WooCommerce Payments Plugin for WordPress 5.4.x < 5.4.1 Authentication Bypass	Web App Scanning	Component Vulnerability	critical
114033	WooCommerce Payments Plugin for WordPress 5.5.x < 5.5.2 Authentication Bypass	Web App Scanning	Component Vulnerability	critical
114032	WooCommerce Payments Plugin for WordPress 6.2.x < 6.2.2 Authentication Bypass	Web App Scanning	Component Vulnerability	critical
114031	WooCommerce Payments Plugin for WordPress 6.3.x < 6.3.2 Authentication Bypass	Web App Scanning	Component Vulnerability	critical
113838	WooCommerce Payments Plugin for WordPress 5.6.x < 5.6.2 Authentication Bypass	Web App Scanning	Component Vulnerability	critical

Detections

Analytics

CVE-2023-28121

critical

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical