WordPress Plugin Vulnerabilities

Checkout Field Editor (Premium) < 1.7.5 - Cross-Site Request Forgery

Description

The Premium version of the Checkout Field Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions before 1.7.5. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to update checkout fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
woocommerce-checkout-field-editor
Fixed in 1.7.5

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a4647210-ba7e-4233-83d6-12572213f5fb

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
foobar7
Verified
No
WPVDB ID
83851d10-c094-40e7-827b-e22a76398540

Timeline

Publicly Published
2023-09-11 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2023-12-10 (about 2 years ago)

Other

Published
Title
Published
2025-12-11
Title
Secure Copy Content Protection and Content Locking < 4.9.3 - Cross-Site Request Forgery to Data Export
Published
2024-12-12
Title
WP-HideThat <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-09-29
Title
Instant CSS < 1.2.2 - Theme/CSS/Minify/Preprocessor Data Update via CSRF
Published
2025-09-22
Title
Emergency Password Reset < 9.4 - Cross-Site Request Forgery
Published
2023-10-26
Title
Thumbnail carousel slider < 1.0.1 - Cross-Site Request Forgery to Mass Slider Deletion