{"api_version":"1","generated_at":"2026-04-23T19:06:20+00:00","cve":"CVE-2020-11497","urls":{"html":"https://cve.report/CVE-2020-11497","api":"https://cve.report/api/cve/CVE-2020-11497.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-11497","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-11497"},"summary":{"title":"CVE-2020-11497","description":"An issue was discovered in the NAB Transact extension 2.1.0 for the WooCommerce plugin for WordPress. An online payment system bypass allows orders to be marked as fully paid by assigning an arbitrary bank transaction ID during the payment-details entry step.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2020-08-26 19:15:00","updated_at":"2020-09-01 14:28:00"},"problem_types":["CWE-354"],"metrics":[],"references":[{"url":"http://packetstormsecurity.com/files/158931/WordPress-NAB-Transact-WooCommerce-2.1.0-Payment-Bypass.html","name":"http://packetstormsecurity.com/files/158931/WordPress-NAB-Transact-WooCommerce-2.1.0-Payment-Bypass.html","refsource":"MISC","tags":["Third Party Advisory"],"title":"WordPress NAB Transact WooCommerce 2.1.0 Payment Bypass ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://seclists.org/fulldisclosure/2020/Aug/13","name":"http://seclists.org/fulldisclosure/2020/Aug/13","refsource":"MISC","tags":["Exploit","Mailing List","Third Party Advisory"],"title":"Full Disclosure: Payment bypass in WordPress - WooCommerce - NAB Transact plugin disclosure","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.themissinglink.com.au/security-advisories-cve-2020-11497","name":"https://www.themissinglink.com.au/security-advisories-cve-2020-11497","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"Advisory cve-2020-11497","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-11497","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-11497","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"11497","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"woocommerce","cpe5":"nab_transact","cpe6":"2.1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"11497","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"woocommerce","cpe5":"nab_transact","cpe6":"2.1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2020-11497","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in the NAB Transact extension 2.1.0 for the WooCommerce plugin for WordPress. An online payment system bypass allows orders to be marked as fully paid by assigning an arbitrary bank transaction ID during the payment-details entry step."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://www.themissinglink.com.au/security-advisories-cve-2020-11497","refsource":"MISC","name":"https://www.themissinglink.com.au/security-advisories-cve-2020-11497"},{"refsource":"FULLDISC","name":"20200821 Payment bypass in WordPress - WooCommerce - NAB Transact plugin disclosure","url":"http://seclists.org/fulldisclosure/2020/Aug/13"},{"refsource":"MISC","name":"http://seclists.org/fulldisclosure/2020/Aug/13","url":"http://seclists.org/fulldisclosure/2020/Aug/13"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/158931/WordPress-NAB-Transact-WooCommerce-2.1.0-Payment-Bypass.html","url":"http://packetstormsecurity.com/files/158931/WordPress-NAB-Transact-WooCommerce-2.1.0-Payment-Bypass.html"}]}},"nvd":{"publishedDate":"2020-08-26 19:15:00","lastModifiedDate":"2020-09-01 14:28:00","problem_types":["CWE-354"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:woocommerce:nab_transact:2.1.0:*:*:*:*:wordpress:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"11497","Ordinal":"172046","Title":"CVE-2020-11497","CVE":"CVE-2020-11497","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"11497","Ordinal":"1","NoteData":"An issue was discovered in the NAB Transact extension 2.1.0 for the WooCommerce plugin for WordPress. An online payment system bypass allows orders to be marked as fully paid by assigning an arbitrary bank transaction ID during the payment-details entry step.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"11497","Ordinal":"2","NoteData":"2020-08-26","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"11497","Ordinal":"3","NoteData":"2020-08-27","Type":"Other","Title":"Modified"}]}}}