CVE-2023-4924 MEDIUM

CVE-2023-4924: BEAR <= 1.1.3.3 - Missing Authorization to Product Deletion

Vendor Realmag777
Product BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Weakness CWE-352 · CSRF
Published October 20, 2023
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to missing capability checks on the woobe_bulkoperations_delete function. This makes it possible for authenticated attackers, with subscriber access or higher, to delete products.

Key dates

02Disclosure timeline

October 20, 2023 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-1435 bbPress <= 2.6.11 - Cross-Site Request Forgery to Limited Privilege Escalation CVE-2024-4218 AffiEasy <= 1.1.6 - Cross-Site Request Forgery to Various Actions CVE-2026-2723 Post Snippits <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update CVE-2026-9730 Remove NoFollow Commenter URL <= 1.0 - Cross-Site Request Forgery to Settings Update CVE-2023-2405 CRM and Lead Management by vcita <= 2.7.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting