WordPress Plugin Vulnerabilities

WP EasyPay – Square for WordPress < 3.2.3 - Cross-Site Request Forgery

Description

The plugin does not properly validate nonce in the wpep_download_transaction_in_excel() function, leading to a potential Cross-Site Request Forgery vulnerability. As a result, unauthenticated users could trigger a transactions download if they can manipulate a site administrator into clicking on a manipulated link.

Affects Plugins

Plugin icon
wp-easy-pay
Fixed in 3.2.3

References

CVE
CVE-2021-4411
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a1fbb3a6-fcc2-47c5-a086-331e69292add

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Jerome Bruandet
Verified
No
WPVDB ID
9eb8fd6e-684f-4fd3-b347-66cd93d80f74

Timeline

Publicly Published
2021-07-05 (about 4 years ago)
Added
2023-07-12 (about 2 years ago)
Last Updated
2023-07-12 (about 2 years ago)

Other

Published
Title
Published
2025-04-14
Title
WooCommerce Products without featured images <= 0.1 - Cross-Site Request Forgery
Published
2023-05-11
Title
Forget About Shortcode Buttons < 2.1.3 - CSRF
Published
2026-04-21
Title
Google PageRank Display <= 1.4 - Cross-Site Request Forgery to Settings Update via Settings Page
Published
2024-06-20
Title
Ali2Woo Lite < 3.4.7 - Stored XSS via CSRF
Published
2025-12-02
Title
ShopEngine < 4.8.6 - Cross-Site Request Forgery to Wishlist Manipulation