CVE-2024-1747

The WooCommerce Customers Manager WordPress plugin before 30.2 does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create customer metadata, also leading to Stored Cross-Site Scripting due to the lack of escaping of said metadata values.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://wpscan.com/vulnerability/17e45d4d-0ee1-4863-a8a4-df8587f448ec/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vanquish:woocommerce_customers_manager:*:*:*:*:*:wordpress:*:*

History

29 May 2025, 17:23

Type	Values Removed	Values Added
References	~~() https://wpscan.com/vulnerability/17e45d4d-0ee1-4863-a8a4-df8587f448ec/ -~~	() https://wpscan.com/vulnerability/17e45d4d-0ee1-4863-a8a4-df8587f448ec/ - Exploit, Third Party Advisory
CPE		cpe:2.3:a:vanquish:woocommerce_customers_manager::::::wordpress::*
First Time		Vanquish Vanquish woocommerce Customers Manager
CWE		CWE-352

01 Aug 2024, 15:35

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-01 06:15

Updated : 2025-05-29 17:23

NVD link : CVE-2024-1747

Mitre link : CVE-2024-1747

CVE.ORG link : CVE-2024-1747

JSON object : View

Products Affected

vanquish

woocommerce_customers_manager

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

6.5 /10