WordPress Plugin Vulnerabilities

WooCommerce Subscription < 4.6.0 - Cross-Site Request Forgery

Description

The WooCommerce Subscription for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and not including, 4.6.0. This is due to missing or incorrect nonce validation when suspending or canceling subscriptions. This makes it possible for unauthenticated attackers to change arbitrary subscriptions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
woocommerce-subscriptions
Fixed in 4.6.0

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/08a98c08-cddc-4bc3-bc07-15d084070abd

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
foobar7
Verified
No
WPVDB ID
ba5064ab-a7ce-4441-af68-ba36f9acf1ed

Timeline

Publicly Published
2023-09-11 (about 2 years ago)
Added
2023-11-24 (about 2 years ago)
Last Updated
2023-12-10 (about 2 years ago)

Other

Published
Title
Published
2026-03-20
Title
Lobot Slider Administrator <= 0.6.0 - Cross-Site Request Forgery to Settings Update
Published
2024-09-30
Title
Copyscape Premium < 1.4.0 - Stored XSS via CSRF
Published
2025-01-16
Title
CNZZ&51LA for WordPress <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2023-10-13
Title
Hitsteps Web Analytics < 5.87 - Arbitrary Settings Update via CSRF
Published
2023-01-19
Title
Nice PayPal Button Lite <= 1.3.5 - CSRF