Vulnerability detail

Enriched intelligence for a single CVE

9.8

CVSS
Critical

CVE-2023-28121

PUBLISHED

An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of...

PoC available Remote Low complexity No user interaction

Vendor: WooCommerce
Product: WooCommerce Payments
Published: Apr 12, 2023
EPSS: 93.5% · 100% pctl

Description

An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.

wordpress nuclei_scanner

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Proof of concept available

Recorded 2023-03-30 23:50:39 UTC · Source

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
Wordfence	Jul 17, 2023

Scanner integrations

Scanner	Reference	Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-28121.yaml	Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

Jenderal92/WP-CVE-2023-28121

github · Created 2023-11-03 01:19:09 UTC · 1 stars

Wordpress CVE-2023-28121

im-hanzou/Mass-CVE-2023-28121

github · Created 2023-07-12 02:41:26 UTC · 11 stars

CVE-2023-28121 - WooCommerce Payments < 5.6.2 - Unauthenticated Privilege Escalation [ Mass Add Admin User ]

gbrsh/CVE-2023-28121

github · Created 2023-03-30 23:50:39 UTC · 38 stars

WooCommerce Payments: Unauthorized Admin Access Exploit

Timeline

CVE ID Reserved

March 10, 2023
Proof of Concept Exploit Available

March 30, 2023
CVE Published to Public

April 12, 2023
Added to KEVIntel

July 17, 2023
Detected by Nuclei

April 25, 2025