The BuddyPress WooCommerce My Account Integration plugin for WordPress is at risk of having its data changed without permission. This is because the function wc4bp_shop_profile_sync_ajax() in versions 3.4.19 and below does not have a check for the appropriate permissions. As a result, attackers who are logged in with subscriber-level access or higher can synchronize shop profiles without authorization.