WordPress Plugin Vulnerabilities

MailerLite – WooCommerce integration < 2.0.9 - Cross-Site Request Forgery via Multiple AJAX Functions

Description

The MailerLite – WooCommerce integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.8. This is due to missing or incorrect nonce validation on multiple AJAX functions. This makes it possible for unauthenticated attackers to perform unauthorized actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
woo-mailerlite
Fixed in 2.0.9

References

CVE
CVE-2023-52223
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9ea7ccb0-c0fb-4ef3-8041-9bf5abe36e3f

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Brandon James Roldan (tomorrowisnew)
Verified
No
WPVDB ID
6a4bc131-22ac-4312-8738-0ab3fa86a665

Timeline

Publicly Published
2024-01-08 (about 2 years ago)
Added
2024-01-15 (about 2 years ago)
Last Updated
2024-01-15 (about 2 years ago)

Other

Published
Title
Published
2024-06-03
Title
Emergency Password Reset < 9.0 - Cross-Site Request Forgery
Published
2024-08-22
Title
ILC Thickbox <= 1.0 - Settings update via CSRF
Published
2024-03-27
Title
Events Manager < 6.4.7.2 - Cross-Site Request Forgery
Published
2022-04-27
Title
Coru LFMember <= 1.0.2 - Arbitrary Game Deletion/Activation via CSRF
Published
2024-04-26
Title
Hide Dashboard Notifications < 1.3 - Cross-Site Request Forgery