MultiParcels Shipping For WooCommerce < 1.15.2 – Arbitrary Shipment Deletion via CSRF | CVE 2023-3366 | Plugin Vulnerabilities

Description

The plugin does not have CRSF check when deleting a shipment, allowing attackers to make any logged in user, delete arbitrary shipment via a CSRF attack

Proof of Concept

Make any logged in user open https://example.com/wp-admin/admin-post.php?action=multiparcels_delete_shipping&id=1 to make them delete the shipment with ID 1

Affects Plugins

multiparcels-shipping-for-woocommerce

Fixed in 1.15.2

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

b2f06223-9352-4227-ae94-32061e2c5611

Timeline

Publicly Published

2023-07-31 (about 2 years ago)

Added

2023-07-31 (about 2 years ago)

Last Updated

2023-07-31 (about 2 years ago)

Other

Published

Title

Published

2022-05-30

Title

Multi-page Toolkit <= 2.6 - Arbitrary Settings Update to Stored XSS via CSRF

Published

2025-12-11

Title

BMLT WordPress Plugin <= 3.11.4 - Cross-Site Request Forgery to Settings Creation and Deletion

Published

2025-04-18

Title

KiotViet Sync <= 1.8.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-03-26

Title

Football Pool < 2.12.3 - Cross-Site Request Forgery to Settings Update

Published

2023-03-17

Title

WP-Advanced-Search < 3.3.9 - Settings Update via CSRF