WordPress Plugin Vulnerabilities

WooCommerce Checkout & Funnel Builder by CartFlows < 1.5.16 - Cross-Site Request Forgery

Description

The plugin does not protect the export_json, import_json, and status_logs_file functions against CSRF attacks, allowing an unauthenticated attacker to import/export settings and trigger logs showing by tricking a logged in administrator to submit a crafted request.

Affects Plugins

Plugin icon
cartflows
Fixed in 1.5.16

References

CVE
CVE-2020-36736
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/cartflows/woocommerce-checkout-funnel-builder-by-cartflows-create-high-converting-stores-for-woocommerce-1515-cross-site-request-forgery-bypass

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jerome Bruandet
Verified
No
WPVDB ID
50873e7c-d97c-4b7a-bd8e-b95d611d83b7

Timeline

Publicly Published
2020-09-26 (about 5 years ago)
Added
2023-07-04 (about 2 years ago)
Last Updated
2023-07-04 (about 2 years ago)

Other

Published
Title
Published
2021-07-02
Title
Woostify < 1.9.2 - CSRF Bypass
Published
2026-01-23
Title
Alex User Counter <= 6.0 - Cross-Site Request Forgery to Settings Update
Published
2025-01-16
Title
CNZZ&51LA for WordPress <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-05-19
Title
Falang multilanguage < 1.3.62 - Cross-Site Request Forgery
Published
2022-04-05
Title
Ad Invalid Click Protector (AICP) < 1.2.7 - Arbitrary Ban Deletion via CSRF