WordPress Plugin Vulnerabilities

WooCommerce UPS Shipping – Live Rates and Access Points < 2.2.5 - Cross-Site Request Forgery

Description

The WooCommerce UPS Shipping – Live Rates and Access Points plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.4. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unknown action granted they can trick a site administrator into performing an action such as clicking on a link. The impact of this vulnerability is unknown.

Affects Plugins

Plugin icon
flexible-shipping-ups
Fixed in 2.2.5

References

CVE
CVE-2024-31944
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d2183a22-fba5-48d2-a68a-6914f04fb902

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dhabaleshwar Das
Verified
No
WPVDB ID
5e864d49-31d4-4d50-a61a-cbd6d2ec82ee

Timeline

Publicly Published
2024-04-11 (about 2 years ago)
Added
2024-04-16 (about 2 years ago)
Last Updated
2024-04-16 (about 2 years ago)

Other

Published
Title
Published
2022-09-28
Title
Store Locator < 1.4.6 - Stored XSS via CSRF
Published
2023-12-27
Title
EnvíaloSimple < 2.3 - API Key Update via CSRF
Published
2021-09-07
Title
Weather Effect < 1.3.4 - CSRF to Stored Cross-Site Scripting
Published
2023-07-17
Title
WP PDF Generator < 1.2.3 - Cross-Site Request Forgery
Published
2025-10-13
Title
Block Country <= 1.0 - Cross-Site Request Forgery