CVE-2023-0865: 
WordPress vulnerability analysis and mitigation

The WooCommerce Multiple Customer Addresses & Shipping WordPress plugin before version 21.7 contains an Insecure Direct Object Reference (IDOR) vulnerability identified as CVE-2023-0865. The vulnerability was discovered by Johannes Ludwig and Vincent Reckendrees, and was publicly disclosed on February 27, 2023. This security flaw affects the address management functionality of the plugin (WPScan).

The vulnerability stems from improper access control where the plugin fails to verify if the address being manipulated belongs to the authenticated user making the request. This IDOR vulnerability has been assigned a CVSS score of 7.1 (High) and is classified under CWE-639 and OWASP Top 10 category A5: Broken Access Control. The flaw affects the address management operations including adding, updating, retrieving, and deleting addresses through various AJAX endpoints (WPScan).

The vulnerability allows any authenticated user, including those with subscriber-level privileges, to perform unauthorized operations on other users' addresses. This includes the ability to add, update, duplicate, delete, and retrieve address information belonging to any user in the system. The impact is particularly significant for e-commerce sites where address information is crucial for order fulfillment and customer privacy (WPScan).

The vulnerability has been patched in version 21.7 of the WooCommerce Multiple Customer Addresses & Shipping plugin. Site administrators are strongly advised to update to this version or later to protect against unauthorized address manipulation (WPScan).