WordPress Plugin Vulnerabilities

Express Shop < 4.0.3 - CSRF Bypass

Description

The plugin did not properly check for CSRF in its qcld_express_variable_product_quick_view AJAX action, allowing attacker to make user call it via a CSRF attack.

Affects Plugins

Plugin icon
express-shop
Fixed in 4.0.3

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
5090862a-5ddc-4db6-8544-41de4b61f0fe

Timeline

Publicly Published
2021-06-30 (about 4 years ago)
Added
2021-06-30 (about 4 years ago)
Last Updated
2021-06-30 (about 4 years ago)

Other

Published
Title
Published
2023-02-28
Title
WP Insurance < 2.1.4 - Arbitrary Plugin Activation via CSRF
Published
2025-03-28
Title
ShowTime Slideshow <= 1.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-07-16
Title
Coupon Affiliates < 6.4.1 - Cross-Site Request Forgery
Published
2026-05-11
Title
WP-Redirection <= 1.0.3 - Cross-Site Request Forgery to Settings Update
Published
2025-02-17
Title
MemorialDay < 1.1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting