CVE-2023-4947 - Vulnerability Details - OpenCVE

The WooCommerce EAN Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refresh_order_ean_data AJAX action in versions up to 6.1.0. This makes it possible for authenticated attackers with contributor-level access and above, to update EAN numbers for orders.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Yanco	Woocommerce Ean Payment Gateway

Configuration 1 [-]

cpe:2.3:a:yanco:woocommerce_ean_payment_gateway:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://www.spirityenterprise.com/pentest
https://www.spirityenterprise.com/managed-detection-response
https://plugins.yanco.dk/product/woocommerce-ean-payment-gateway/
https://www.wordfence.com/threat-intel/vulnerabilities/id/2760b183-3c15-4f0e-b72f-7c0333f9d4b6?source=cve

History

Wed, 08 Apr 2026 17:00:00 +0000

Type	Values Removed	Values Added
Title		WooCommerce EAN Payment Gateway < 6.1.0 - Missing Authorization to Authenticated (Contributor+) EAN Update

Wed, 12 Feb 2025 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Yanco Yanco woocommerce Ean Payment Gateway
CPEs	cpe:2.3:a:wpfactory:ean_for_woocommerce::::::wordpress::*	cpe:2.3:a:yanco:woocommerce_ean_payment_gateway::::::wordpress::*
Vendors & Products	Wpfactory Wpfactory ean For Woocommerce	Yanco Yanco woocommerce Ean Payment Gateway

Wed, 05 Feb 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2023-10-20T06:35:12.814Z

Updated: 2026-04-08T16:42:53.992Z

Reserved: 2023-09-13T15:03:45.844Z

Link: CVE-2023-4947

Vulnrichment

Updated: 2024-08-02T07:44:53.250Z

NVD

Status : Modified

Published: 2023-10-20T07:15:16.740

Modified: 2026-04-08T17:17:05.523

Link: CVE-2023-4947

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-4947", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2023-09-13T15:03:45.844Z", "datePublished": "2023-10-20T06:35:12.814Z", "dateUpdated": "2026-04-08T16:42:53.992Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:53.992Z"}, "affected": [{"vendor": "Yan&Co", "product": "WooCommerce EAN Payment Gateway", "versions": [{"version": "0", "status": "affected", "lessThan": "6.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WooCommerce EAN Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refresh_order_ean_data AJAX action in versions up to 6.1.0. This makes it possible for authenticated attackers with contributor-level access and above, to update EAN numbers for orders."}], "title": "WooCommerce EAN Payment Gateway < 6.1.0 - Missing Authorization to Authenticated (Contributor+) EAN Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2760b183-3c15-4f0e-b72f-7c0333f9d4b6?source=cve"}, {"url": "https://plugins.yanco.dk/product/woocommerce-ean-payment-gateway/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}, {"lang": "en", "type": "finder", "value": "Yan&Co ApS"}], "timeline": [{"time": "2023-09-13T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:44:53.250Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2760b183-3c15-4f0e-b72f-7c0333f9d4b6?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.yanco.dk/product/woocommerce-ean-payment-gateway/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-05T18:23:57.338442Z", "id": "CVE-2023-4947", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-05T19:10:57.709Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2760b183-3c15-4f0e-b72f-7c0333f9d4b6?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.yanco.dk/product/woocommerce-ean-payment-gateway/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:44:53.250Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4947", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-05T18:23:57.338442Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-05T18:23:58.952Z"}}], "cna": {"title": "WooCommerce EAN Payment Gateway < 6.1.0 - Missing Authorization to Authenticated (Contributor+) EAN Update", "credits": [{"lang": "en", "type": "finder", "value": "Istv\u00e1n M\u00e1rton"}, {"lang": "en", "type": "finder", "value": "Yan&Co ApS"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "Yan&Co", "product": "WooCommerce EAN Payment Gateway", "versions": [{"status": "affected", "version": "0", "lessThan": "6.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2023-09-13T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2760b183-3c15-4f0e-b72f-7c0333f9d4b6?source=cve"}, {"url": "https://plugins.yanco.dk/product/woocommerce-ean-payment-gateway/"}], "descriptions": [{"lang": "en", "value": "The WooCommerce EAN Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refresh_order_ean_data AJAX action in versions up to 6.1.0. This makes it possible for authenticated attackers with contributor-level access and above, to update EAN numbers for orders."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:53.992Z"}}}, "cveMetadata": {"cveId": "CVE-2023-4947", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:42:53.992Z", "dateReserved": "2023-09-13T15:03:45.844Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2023-10-20T06:35:12.814Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yanco:woocommerce_ean_payment_gateway:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "CC8AD8DD-12D3-4CC9-B977-F3072D24A61F", "versionEndExcluding": "6.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WooCommerce EAN Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refresh_order_ean_data AJAX action in versions up to 6.1.0. This makes it possible for authenticated attackers with contributor-level access and above, to update EAN numbers for orders."}, {"lang": "es", "value": "El complemento WooCommerce EAN Payment Gateway para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificaci\u00f3n de capacidad en la acci\u00f3n actualizar_order_ean_data AJAX en versiones hasta 6.1.0. Esto hace posible que atacantes autenticados con acceso de nivel de colaborador y superior actualicen los n\u00fameros EAN de los pedidos."}], "id": "CVE-2023-4947", "lastModified": "2026-04-08T17:17:05.523", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-20T07:15:16.740", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.yanco.dk/product/woocommerce-ean-payment-gateway/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2760b183-3c15-4f0e-b72f-7c0333f9d4b6?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://plugins.yanco.dk/product/woocommerce-ean-payment-gateway/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2760b183-3c15-4f0e-b72f-7c0333f9d4b6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Secondary"}]}