WordPress Plugin Vulnerabilities

WooCommerce Pre-Orders < 2.0.3 - Unauthorised Actions via CSRF

Description

The plugin has a flawed CSRF check when processing its tab actions, which could allow attackers to make logged in admins email pre-orders customer, change the released date, mark all pre-orders of a specific product as complete or cancel via CSRF attacks

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-pre-orders
Fixed in 2.0.3

References

CVE
CVE-2023-3508

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
064c7acb-db57-4537-8a6d-32f7ea31c738

Timeline

Publicly Published
2023-07-10 (about 2 years ago)
Added
2023-07-10 (about 2 years ago)
Last Updated
2023-07-10 (about 2 years ago)

Other

Published
Title
Published
2025-12-31
Title
Simple Archive Generator <= 5.2 - Cross-Site Request Forgery
Published
2024-12-11
Title
Password for WP < 1.6 - Stored XSS via CSRF
Published
2024-12-18
Title
gap-hub-user-role <= 3.4.1 - Cross-Site Request Forgery
Published
2022-09-01
Title
Captcha Code < 2.8 - Settings Update via CSRF
Published
2023-09-18
Title
Website Builder by SeedProd < 6.15.15.3 - Arbitrary Settings Update via CSRF