WordPress Plugin Vulnerabilities

Checkout Field Editor < 1.7.5 - Checkout Fields Update via CSRF

Description

The plugin does not have CSRF check in place when updating checkout fields, which could allow attackers to make logged in users update them via a CSRF attack

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-checkout-field-editor
Fixed in 1.7.5

References

URL
https://hackerone.com/reports/1720758

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
foobar7
Verified
Yes
WPVDB ID
61bbf6b7-683e-491b-8807-f74115ba199e

Timeline

Publicly Published
2023-09-11 (about 2 years ago)
Added
2023-09-11 (about 2 years ago)
Last Updated
2023-09-11 (about 2 years ago)

Other

Published
Title
Published
2025-03-24
Title
Info Boxes Shortcode and Widget <= 1.15 - Cross-Site Request Forgery
Published
2025-03-24
Title
WP e-Commerce Style Email <= 0.6.2 - Cross-Site Request Forgery to Remote Code Execution
Published
2025-12-11
Title
Foxtool All-in-One: Contact chat button, Custom login, Media optimize images < 2.5.3 - Cross-Site Request Forgery to Google OAuth Connection
Published
2025-02-17
Title
magayo Lottery Results <= 2.0.12 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2024-01-10
Title
Voting Record <= 2.0 - Settings Update to Stored XSS via CSRF