Support » Plugin: WooCommerce » WooCommerce versions below 4.1.0 have an Unescaped Metadata when Duplicating Pro

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support Remi Corson – a11n

    (@corsonr)

    Automattic Happiness Engineer

    Hi there Steve,

    This is a fairly low-level issue since there are many checks before this action (the product duplication). We do however encourage to update, but again, it might look scary but it’s not major security hole.

    Thread Starter InDzine Steve

    (@steveindzine)

    Does the attacher have to be logged in for the site to be vulnerable?

    Plugin Support Remi Corson – a11n

    (@corsonr)

    Automattic Happiness Engineer

    Does the attacher have to be logged in for the site to be vulnerable?

    Correct

    Thread Starter InDzine Steve

    (@steveindzine)

    Do they need a particular user role? Like administrator?

    Plugin Support Remi Corson – a11n

    (@corsonr)

    Automattic Happiness Engineer

    This is by default connected to the “manage_woocommerce” permission but you can filter it down to “woocommerce_duplicate_product_capability”, here’s a great way to add this: https://publishpress.com/blog/duplicate-woocommerce-products/

    Thread Starter InDzine Steve

    (@steveindzine)

    That’s fine, just weighing up the risks of this vulnerability. Seems like they need to be logged in and be a shop manager in order to take advantage of the issue. Obviously it’s better to update, and I do plan on this, but it won’t be straight away. Thanks for all the help.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘WooCommerce versions below 4.1.0 have an Unescaped Metadata when Duplicating Pro’ is closed to new replies.