CVE-2024-9109 MEDIUM

CVE-2024-9109: UPS Live Rates and Access Points <= 2.3.12 - Missing Authorization to Plugin API key reset

Vendor Octolize
Product Shipping Live Rates and Access Points for UPS for WooCommerce
Weakness CWE-862 · Missing authorization
Published October 25, 2024
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The WooCommerce UPS Shipping – Live Rates and Access Points plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_oauth_data function in all versions up to, and including, 2.3.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's API key.

Explanation of Vulnerability in Simple Terms

02Summary

The Shipping Live Rates and Access Points for UPS for WooCommerce plugin does not properly check user permissions before allowing certain actions. A logged-in user with low privileges can modify data they should not have access to. The vulnerability affects versions up to 2.3.12. Update to a version newer than 2.3.12 to resolve this issue.

What an attacker can do

03Attacker Capabilities

A low-privilege logged-in user can modify shipping or access point data without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users could alter shipping rates, access points, or related UPS integration settings, potentially disrupting order fulfillment.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege account on the WooCommerce site (e.g., customer or subscriber role).

Key dates

06Disclosure timeline

October 25, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE