WordPress Plugin Vulnerabilities

Checkout Field Editor < 1.7.5 - Cross-Site Request Forgery to Checkout Fields Update

Description

The Checkout Field Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.7.4. This is due to missing nonce validation when updating checkout fields. This makes it possible for unauthenticated attackers to update checkout fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
woocommerce-checkout-field-editor
Fixed in 1.7.5

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ad430706-749f-4582-af07-6c543b8d5aad

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
foobar7
Verified
No
WPVDB ID
09a9d35b-1652-4ae1-8138-806e91961a5c

Timeline

Publicly Published
2023-09-11 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2023-12-10 (about 2 years ago)

Other

Published
Title
Published
2024-04-11
Title
NextMove Lite < 2.18.2 - Cross-Site Request Forgery
Published
2025-06-05
Title
Market Exporter < 2.0.23 - Cross-Site Request Forgery
Published
2024-07-04
Title
Rara Business < 1.2.6 - Cross-Site Request Forgery to Notice Dismissal
Published
2025-03-11
Title
ZipList Recipe <= 3.1 - Cross-Site Request Forgery
Published
2025-01-06
Title
ViewMedica Embed < 1.4.18 - Cross-Site Request Forgery to SQL Injection