WordPress Plugin Vulnerabilities
MultiParcels Shipping For WooCommerce < 1.15.2 - Arbitrary Shipment Deletion via CSRF
Description
The plugin does not have CRSF check when deleting a shipment, allowing attackers to make any logged in user, delete arbitrary shipment via a CSRF attack
Proof of Concept
Make any logged in user open https://example.com/wp-admin/admin-post.php?action=multiparcels_delete_shipping&id=1 to make them delete the shipment with ID 1
Affects Plugins
References
CVE
Classification
Type
CSRF
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-07-31 (about 10 months ago)
Added
2023-07-31 (about 10 months ago)
Last Updated
2023-07-31 (about 10 months ago)