WordPress Plugin Vulnerabilities

WooCommerce PayPal Payments < 2.0.5 - Merchant ID Details Update via CSRF

Description

The plugin does not have CSRF checks when updating the merchant ID details, which could allow attackers to make logged in users update them via a CSRF attack.

Affects Plugins

Plugin icon
woocommerce-paypal-payments
Fixed in 2.0.5

References

CVE
CVE-2023-35917

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
Yes
WPVDB ID
ac26669f-6a98-42cf-a54d-e2f4548be156

Timeline

Publicly Published
2023-06-20 (about 2 years ago)
Added
2023-06-22 (about 2 years ago)
Last Updated
2023-06-22 (about 2 years ago)

Other

Published
Title
Published
2025-01-24
Title
FluentSMTP < 2.2.81 - Cross-Site Request Forgery
Published
2025-01-16
Title
Theme My Ontraport Smartform <= 1.2.11 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2026-02-18
Title
Page Title, Description & Open Graph Updater <= 1.02 - Cross-Site Request Forgery to Arbitrary Page Title Modification
Published
2025-09-26
Title
Vehica Core < 1.0.101 - Cross-Site Request Forgery
Published
2025-09-22
Title
ShrinkTheWeb (STW) Website Previews <= 2.8.5 - Cross-Site Request Forgery