CVE-2024-5768 - Vulnerability Details - OpenCVE

The MIMO Woocommerce Order Tracking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mimo_update_provider' function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update shipping provider information, including adding stored cross-site scripting.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/mimo-woocommerce-order-tracking/tags/1.0.2/mimo-woocommerce-order-tracking.php#L304
https://www.wordfence.com/threat-intel/vulnerabilities/id/aa26e595-947c-4327-bbe1-c347688f1209?source=cve

History

Fri, 10 Apr 2026 04:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-862

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-06-19T03:12:32.044Z

Updated: 2026-04-08T17:14:17.883Z

Reserved: 2024-06-07T22:46:19.101Z

Link: CVE-2024-5768

Vulnrichment

Updated: 2024-08-01T21:18:07.045Z

NVD

Status : Deferred

Published: 2024-06-19T04:15:14.160

Modified: 2026-04-15T00:35:42.020

Link: CVE-2024-5768

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-5768", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-06-07T22:46:19.101Z", "datePublished": "2024-06-19T03:12:32.044Z", "dateUpdated": "2026-04-08T17:14:17.883Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:17.883Z"}, "affected": [{"vendor": "surakrai", "product": "MIMO Woocommerce Order Tracking", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MIMO Woocommerce Order Tracking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mimo_update_provider' function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update shipping provider information, including adding stored cross-site scripting."}], "title": "MIMO Woocommerce Order Tracking <= 1.0.2 - Missing Authorization to Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa26e595-947c-4327-bbe1-c347688f1209?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mimo-woocommerce-order-tracking/tags/1.0.2/mimo-woocommerce-order-tracking.php#L304"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "timeline": [{"time": "2024-06-18T14:42:48.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-15T18:35:09.984247Z", "id": "CVE-2024-5768", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-15T18:35:17.720Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:07.045Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa26e595-947c-4327-bbe1-c347688f1209?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/mimo-woocommerce-order-tracking/tags/1.0.2/mimo-woocommerce-order-tracking.php#L304", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa26e595-947c-4327-bbe1-c347688f1209?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/mimo-woocommerce-order-tracking/tags/1.0.2/mimo-woocommerce-order-tracking.php#L304", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:07.045Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5768", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-15T18:35:09.984247Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-15T18:35:14.425Z"}}], "cna": {"title": "MIMO Woocommerce Order Tracking <= 1.0.2 - Missing Authorization to Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Lucio S\u00e1"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "surakrai", "product": "MIMO Woocommerce Order Tracking", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-06-18T14:42:48.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa26e595-947c-4327-bbe1-c347688f1209?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/mimo-woocommerce-order-tracking/tags/1.0.2/mimo-woocommerce-order-tracking.php#L304"}], "descriptions": [{"lang": "en", "value": "The MIMO Woocommerce Order Tracking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mimo_update_provider' function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update shipping provider information, including adding stored cross-site scripting."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:14:17.883Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5768", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:14:17.883Z", "dateReserved": "2024-06-07T22:46:19.101Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-06-19T03:12:32.044Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MIMO Woocommerce Order Tracking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mimo_update_provider' function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update shipping provider information, including adding stored cross-site scripting."}, {"lang": "es", "value": "El complemento MIMO Woocommerce Order Tracking para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n 'mimo_update_provider' en todas las versiones hasta la 1.0.2 incluida. Esto hace posible que los atacantes autenticados, con acceso a nivel de suscriptor y superior, actualicen la informaci\u00f3n del proveedor de env\u00edo, incluida la adici\u00f3n de cross-site scripting almacenado."}], "id": "CVE-2024-5768", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-06-19T04:15:14.160", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/mimo-woocommerce-order-tracking/tags/1.0.2/mimo-woocommerce-order-tracking.php#L304"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa26e595-947c-4327-bbe1-c347688f1209?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://plugins.trac.wordpress.org/browser/mimo-woocommerce-order-tracking/tags/1.0.2/mimo-woocommerce-order-tracking.php#L304"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aa26e595-947c-4327-bbe1-c347688f1209?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}