Multiple WebToffee Plugins - Cross-Site Request Forgery (CSRF) Issue



Description
From https://www.wordfence.com/blog/2020/03/vulnerability-patched-in-import-export-wordpress-users/ (at the bottom)

"Several additional WooCommerce-centric import/export plugins from WebToffee used the same import functionality. However, they were unable to be activated unless WooCommerce was installed, ensuring that the manage_woocommerce capability check was sufficient in restricting low-level users from completing imports.

Despite that, there were no nonce checks on these imports, meaning that the source of requests were not verified. If an administrator of a site was tricked into executing an unwanted action, products could be injected, along with comments, orders and more, potentially containing malicious payloads."

Affects Plugins

References

URL https://www.wordfence.com/blog/2020/03/vulnerability-patched-in-import-export-wordpress-users/

Classification

Type CSRF
CWE CWE-352

Miscellaneous

Original Researcher Wordfence
Views 923
Verified No
WPVDB ID 10126

Timeline

Publicly Published 2020-03-11 (23 days ago)
Added 2020-03-11 (22 days ago)
Last Updated 2020-03-13 (20 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin