WordPress Plugin Vulnerabilities
Sumo < 1.35 - Cross-Site Request Forgery
Description
The Sumo plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.34. This is due to missing or incorrect nonce validation on the ajax_sumo_add_woocommerce_coupon and ajax_sumo_remove_woocommerce_coupon functions. This makes it possible for unauthenticated attackers to add and remove coupons via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affects Plugins
References
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Friday
Verified
No
WPVDB ID
Timeline
Publicly Published
2024-04-05 (about 2 years ago)
Added
2024-04-11 (about 2 years ago)
Last Updated
2024-04-11 (about 2 years ago)