cleantalk
Vulnerabilities and Security Researches

WP-Recall – Registration, Profile, Commerce & More, CVE-2024-8292

CVE, Research URL

CVE-2024-8292

Home page URL

Security reports for WP-Recall – Registration, Profile, Commerce & More

Application

WP-Recall – Registration, Profile, Commerce & More

Published on
Sep 06, 2024
Research Description
The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to privilege escalation/account takeover in all versions up to, and including, 16.26.8. This is due to to plugin not properly verifying a user's identity during new order creation. This makes it possible for unauthenticated attackers to supply any email through the user_email field and update the password for that user during new order creation. This requires the commerce addon to be enabled in order to exploit.
Affected versions
Min -, max 16.26.9.
Status
vulnerable
Previous vulnerability researches
WP-Recall – Registration, Profile, Commerce & More (CVE-2025-1323) , Mar 09, 2025
WP-Recall – Registration, Profile, Commerce & More (CVE-2025-1324) , Mar 09, 2025
WP-Recall – Registration, Profile, Commerce & More (CVE-2025-1325) , Mar 09, 2025
WP-Recall – Registration, Profile, Commerce & More (CVE-2025-1322) , Mar 09, 2025
WP-Recall – Registration, Profile, Commerce & More (CVE-2024-1175) , Jul 23, 2024
New vulnerability
SMS Alert Order Notifications – WooCommerce (CVE-2025-3876) , May 11, 2025
SMS Alert Order Notifications – WooCommerce (CVE-2025-3878) , May 11, 2025
WordPress Review Plugin: The Ultimate Solution for Building a Review Website (CVE-2025-2158) , May 11, 2025
Drag and Drop Multiple File Upload for WooCommerce (CVE-2025-4403) , May 11, 2025
Contact Us By Lord Linus (CVE-2025-1382) , May 11, 2025