WordPress Plugin Vulnerabilities

Extra Product Options Builder for WooCommerce < 1.2.105 - Cross-Site Request Forgery to Notice Dismissal

Description

The Extra Product Options Builder for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.104. This is due to missing or incorrect nonce validation on the DontShowAgain() function. This makes it possible for unauthenticated attackers to dismiss notices via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
additional-product-fields-for-woocommerce
Fixed in 1.2.105

References

CVE
CVE-2024-31940
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c05856-fbee-498d-9e9f-f0a232df6d24

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dhabaleshwar Das
Verified
No
WPVDB ID
527c1f55-26d6-4cee-9a01-1c17e6dcecc2

Timeline

Publicly Published
2024-04-10 (about 2 years ago)
Added
2024-04-16 (about 2 years ago)
Last Updated
2024-04-16 (about 2 years ago)

Other

Published
Title
Published
2024-12-12
Title
Multiple Admin Emails <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2026-05-21
Title
Widget Context < 1.4.0 - Cross-Site Request Forgery to Settings Update via 'wl' Parameter
Published
2025-02-03
Title
DSGVO All in one for WP < 4.7 - Cross-Site Request Forgery to Account Deletion
Published
2025-02-03
Title
Auto SEO < 2.6.6 - Stored XSS via CSRF
Published
2025-10-10
Title
GSheetConnector For Gravity Forms < 1.3.24 - Cross-Site Request Forgery to Arbitrary Plugin Activation/Deactivation