WordPress Plugin Vulnerabilities

WOWRestro < 1.1 - CSRF Bypass

Description

The plugin does not properly check for CSRF in numerous of its AJAX actions, allowing attacker to make logged in users call them and perform unwanted actions, such as add/remove an item from their basket and empty it as well.

Proof of Concept

Affects Plugins

Plugin icon
wowrestro
Fixed in 1.1

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
56b4d66d-e496-4554-94a7-b28d193a31e0

Timeline

Publicly Published
2021-07-12 (about 4 years ago)
Added
2021-07-12 (about 4 years ago)
Last Updated
2021-07-12 (about 4 years ago)

Other

Published
Title
Published
2023-05-05
Title
Easy Appointments < 3.11.10 - Cross-Site Request Forgery
Published
2023-04-18
Title
BadgeOS <= 3.7.1.6 - CSRF
Published
2025-09-26
Title
HTACCESS IP Blocker <= 1.0 - Cross-Site Request Forgery
Published
2025-04-09
Title
Social Bookmarking RELOADED <= 3.18 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-10-03
Title
POEditor < 0.9.5 - CSRF