Product Table by WBW < 1.8.7 – Cross-Site Request Forgery via saveGroup | CVE 2023-51512 | Plugin Vulnerabilities

Description

The Product Table by WBW plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.6. This is due to missing or incorrect nonce validation on the saveGroup function. This makes it possible for unauthenticated attackers to modify product groups via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

woo-product-tables

Fixed in 1.8.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/eff03dbc-1bb7-4a72-b57c-f1bde966c286

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Skalucy

Verified

No

WPVDB ID

3523e8a2-ba17-4b47-8b99-28c3e31bad82

Timeline

Publicly Published

2023-12-27 (about 2 years ago)

Added

2024-01-05 (about 2 years ago)

Last Updated

2024-01-22 (about 2 years ago)

Other

Published

Title

Published

2024-04-29

Title

Xserver Migrator < 1.6.2.1 - Arbitrary File Upload via CSRF

Published

2024-04-10

Title

Marker.io < 1.1.9 - Cross-Site Request Forgery

Published

2015-02-11

Title

WPBook <= 3.7 - Cross-Site Request Forgery (CSRF)

Published

2025-09-11

Title

Ultimate Blogroll <= 2.5.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-07-21

Title

Like & Share My Site <= 0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting