WordPress Plugin Vulnerabilities

WP EasyCart < 5.4.9 - Multiple CSRFs

Description

The plugin does not apply proper nonce validation routines in multiple AJAX requests, which makes it possible for attackers to trick an unsuspecting administrator into activating and deactivating products.

Affects Plugins

Plugin icon
wp-easycart
Fixed in 5.4.9

References

CVE
CVE-2023-2892
CVE
CVE-2023-2893
CVE
CVE-2023-2894
CVE
CVE-2023-2895
CVE
CVE-2023-2896

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Alex Thomas
Verified
No
WPVDB ID
c7846ba1-4e0b-49df-82ef-2662c4619796

Timeline

Publicly Published
2023-05-27 (about 2 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2023-06-09 (about 2 years ago)

Other

Published
Title
Published
2025-08-19
Title
Backup Bolt <= 1.4.1 - Cross-Site Request Forgery
Published
2024-04-11
Title
Responsive Contact Form Builder & Lead Generation Plugin < 1.9.0 - Cross-Site Request Forgery
Published
2026-04-21
Title
Ni WooCommerce Order Export <= 3.1.6 - Cross-Site Request Forgery to Settings Update via ni_order_export_action AJAX Action
Published
2021-06-30
Title
SEO Wizard <= 4.0.2 - Unauthorised robots.txt & .htaccess Edit via CSRF
Published
2026-02-17
Title
Keybase.io Verification < 1.4.6 - Cross-Site Request Forgery to Settings Update