Information exposure vulnerability in the MRW plug-in

Posted date 04/07/2024
Identificador
INCIBE-2024-0344
Importance
4 - High
Affected Resources
  • MRW plugin, 5.4.3 version.
Description

INCIBE has coordinated the publication of 1 high severity vulnerability affecting the MRW plugin for Woocommerce, a module for shipping management and label generation, which has been discovered by Jesús Higueras.

This vulnerability has been assigned the following code, CVSS v3.1 base score, CVSS vector and vulnerability type CWE.

  • CVE-2024-6506: CVSS v3.1:8.2 | CVSS AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L. | CWE-200.
Solution

The vulnerability has been fixed by the MRW team in version 5.5.1.

Detail

CVE-2024-6506: information exposure vulnerability in the MRW plugin affecting the "mrw_log" functionality. This vulnerability could allow a remote attacker to obtain other customers' order information and access sensitive information such as name and phone number. This vulnerability also allows an attacker to create or overwrite shipping labels.

References list