Bulgarisation for WooCommerce < 3.0.15 – Cross-Site Request Forgery | CVE 2024-2395 | Plugin Vulnerabilities

Description

The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.14. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to generate and delete labels via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

bulgarisation-for-woocommerce

Fixed in 3.0.15

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4ff1d12e-1129-40d3-8c29-3a46ffc77872

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

57d85401-9ed6-4a03-8a26-6a1fc935b49b

Timeline

Publicly Published

2024-03-12 (about 2 years ago)

Added

2024-03-12 (about 2 years ago)

Last Updated

2024-03-12 (about 2 years ago)

Other

Published

Title

Published

2025-05-16

Title

Wishlist <= 2.1.0 - Missing Authorization

Published

2025-12-12

Title

Popover Windows <= 1.2 - Missing Authorization to Authenticated (Subscriber+) Popover Configuration Update via AJAX Actions

Published

2023-10-24

Title

FeedFocal < 1.3.0 - Unauthenticated Tracking Code Update

Published

2025-05-16

Title

Rozario <= 1.4 - Missing Authorization

Published

2026-02-17

Title

Order Splitter for WooCommerce < 5.3.6 - Missing Authorization to Authenticated (Subscriber+) Order Information Exposure