WordPress Plugin Vulnerabilities

WPHEKA Request For Quote < 1.3 - CSRF Bypass

Description

The plugin does not properly check for CSRF in its action_wpheka_add_to_quote and action_remove_item_from_rfq_list AJAX actions, allowing attacker to make users call them and perform unwanted actions.

Affects Plugins

Plugin icon
wpheka-request-for-quote
Fixed in 1.3

References

URL
https://plugins.trac.wordpress.org/changeset/2582716/

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
6f59f085-35c3-4b6e-9640-dcb16058a7e2

Timeline

Publicly Published
2021-07-05 (about 4 years ago)
Added
2021-07-05 (about 4 years ago)
Last Updated
2021-08-17 (about 4 years ago)

Other

Published
Title
Published
2024-07-01
Title
pz-frontend-manager < 1.0.6 - CSRF change user profile picture
Published
2021-07-19
Title
RestroPress < 2.8.3 - Cart Manipulation via CSRF
Published
2024-08-29
Title
Tourfic < 2.11.21 - Cross-Site Request Forgery in Multiple Functions
Published
2025-08-29
Title
Related Posts Lite <= 1.12 - Cross-Site Request Forgery
Published
2020-10-14
Title
Child Theme Creator by Orbisius < 1.5.2 - CSRF to Arbitrary File Modification/Creation