WordPress Plugin Vulnerabilities

Add to Cart Text Changer and Customize Button, Add Custom Icon < 2.1 - Add to cart Text Update via CSRF

Description

The plugin is vulnerable to Cross-Site Request Forgery due to missing or incorrect nonce validation on the wactc_text_form function, allowing unauthenticated attackers to modify the WooCommerce Add to Cart text via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
woo-add-to-cart-text-change
Fixed in 2.1

References

CVE
CVE-2023-49153
URL
https://patchstack.com/database/vulnerability/woo-add-to-cart-text-change/wordpress-add-to-cart-text-changer-and-customize-button-add-custom-icon-plugin-2-0-cross-site-request-forgery-csrf-vulnerability

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Skalucy
Verified
Yes
WPVDB ID
abb923cd-245e-41f8-a52d-9c66ace2cf9d

Timeline

Publicly Published
2023-11-28 (about 2 years ago)
Added
2023-12-08 (about 2 years ago)
Last Updated
2024-03-08 (about 2 years ago)

Other

Published
Title
Published
2025-06-19
Title
Virtual Moderator <= 1.4 - Cross-Site Request Forgery
Published
2022-05-16
Title
Discy < 5.2 - Restore Default Settings via CSRF
Published
2024-08-07
Title
MainWP Child Reports < 2.2.1 - Cross-Site Request Forgery to Arbitrary Options Update
Published
2025-12-05
Title
WP Landing Page <= 0.9.3 - Cross-Site Request Forgery to Arbitrary Post Meta Update
Published
2025-04-01
Title
CLP – Custom Login Page by NiteoThemes <= 1.5.5 - Cross-Site Request Forgery