WordPress Plugin Vulnerabilities

WooCommerce Ship to Multiple Addresses < 3.7.2 - Address Creation/Update/Deletion via CSRF

Description

The plugin does not have CSRF checks when creating, updating and deleting addresses, which could allow attackers to make logged in users perform such action via CSRF attacks

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-shipping-multiple-addresses
Fixed in 3.7.2

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
foobar7
Verified
Yes
WPVDB ID
0f48e85c-ba35-484f-9879-ac28ab3dd435

Timeline

Publicly Published
2022-10-05 (about 3 years ago)
Added
2023-08-07 (about 2 years ago)
Last Updated
2023-08-07 (about 2 years ago)

Other

Published
Title
Published
2021-08-25
Title
Nested Pages < 3.1.16 - CSRF to Arbitrary Post Deletion and Modification
Published
2025-01-08
Title
AI Scribe – SEO AI Writer, Content Generator, Humanizer, Blog Writer, SEO Optimizer, DALLE-3, AI WordPress Plugin ChatGPT (GPT-4o 128K) < 2.6 - Cross-Site Request Forgery to Settings Update
Published
2023-11-07
Title
UserHeat Plugin < 1.1.11 - Settings Update via CSRF
Published
2025-07-03
Title
RD Contacto <= 1.4 - Cross-Site Request Forgery to Settings Update
Published
2024-08-17
Title
WP MultiTasking <= 0.1.12 - Reflected XSS via Shortcode