exploitDog

GHSA-5qc9-c8x2-67jw

Опубликовано: 14 мая 2022

Источник: github

Github: Не прошло ревью

CVSS3: 6.5

Описание

An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings. The function woo_checkout_settings_page in the file class-woo-checkout-for-digital-goods-admin.php doesn't do any check against wp-admin/admin-post.php Cross-site request forgery (CSRF) and user capabilities.

An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings. The function woo_checkout_settings_page in the file class-woo-checkout-for-digital-goods-admin.php doesn't do any check against wp-admin/admin-post.php Cross-site request forgery (CSRF) and user capabilities.

Ссылки

EPSS

Процентиль: 29%

0.00103

Низкий

6.5 Medium

CVSS3

CVE ID

Дефекты

CWE-352

Связанные уязвимости

CVE-2018-11633

CVSS3: 6.5

nvd

больше 7 лет назад

An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings. The function woo_checkout_settings_page in the file class-woo-checkout-for-digital-goods-admin.php doesn't do any check against wp-admin/admin-post.php Cross-site request forgery (CSRF) and user capabilities.

EPSS

Процентиль: 29%

0.00103

Низкий

6.5 Medium

CVSS3

CVE ID

Дефекты

CWE-352