WordPress Plugin Vulnerabilities

YITH Request a Quote for WooCommerce < 1.6.4 - Unauthorised AJAX call via CSRF

Description

The ajax method did not properly check for CSRF, allowing attackers to make users call the ajax_add_item, ajax_remove_item or ajax_variation_exist actions, which will tamper with their session quote.

Proof of Concept

Affects Plugins

Plugin icon
yith-woocommerce-request-a-quote
Fixed in 1.6.4

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
02b63469-39dd-42c1-9afd-1ed39e0f5fb6

Timeline

Publicly Published
2021-06-30 (about 4 years ago)
Added
2021-06-30 (about 4 years ago)
Last Updated
2021-06-30 (about 4 years ago)

Other

Published
Title
Published
2026-01-28
Title
Revision Manager TMC <= 2.8.22 - Cross-Site Request Forgery
Published
2025-04-09
Title
Windows Live Writer <= 0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-11-13
Title
Hacklog DownloadManager <= 2.1.4 - Cross-Site Request Forgery to Arbitrary File Upload
Published
2024-01-02
Title
PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) < 2.7.14 - Settings Reset/Update via CSRF
Published
2025-04-14
Title
My auctions allegro < 3.6.34 - Cross-Site Request Forgery