cleantalk
Vulnerabilities and Security Researches

License Manager for WooCommerce, CVE-2024-1639

CVE, Research URL

CVE-2024-1639

Home page URL

Security reports for License Manager for WooCommerce

Application

License Manager for WooCommerce

Published on
Jun 21, 2024
Research Description
The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with admin dashboard access (contributors by default due to WooCommerce) to view arbitrary decrypted license keys. The functions contain a referrer nonce check. However, these can be retrieved via the dashboard through the "license" JS variable.
Affected versions
Min -, max 3.0.7.
Status
vulnerable
Previous vulnerability researches
License Manager for WooCommerce (CVE-2024-1639) , Jun 22, 2024
License Manager for WooCommerce (CVE-2022-4974) , Nov 14, 2024
License Manager for WooCommerce (CVE-2025-32522) , Apr 14, 2025
License Manager for WooCommerce (c23241aa8778d1caab55d91ad429e196a0d97d91) , Jun 07, 2024
License Manager for WooCommerce (CVE-2023-48742) , Jun 07, 2024
New vulnerability
My auctions allegro (CVE-2025-27009) , Apr 16, 2025
Flamingo , Apr 16, 2025
Advance WP Query Search Filter (CVE-2025-26743) , Apr 15, 2025
SKT Skill Bar (CVE-2025-26880) , Apr 15, 2025
WP Featured Screenshot (CVE-2025-32557) , Apr 15, 2025