WordPress Plugin Vulnerabilities

Multiple Plugins from Viszt Peter - Multiple CSRF

Description

The plugins are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin's license

Proof of Concept

Affects Plugins

Plugin icon
woo-billingo-plus
Fixed in 4.4.5.4
Plugin icon
integration-for-billingo-gravity-forms
Fixed in 1.0.4
Plugin icon
integration-for-szamlazz-hu-gravity-forms
Fixed in 1.2.7
Plugin icon
integration-for-szamlazzhu-woocommerce
Fixed in 5.6.3.3
Plugin icon
hungarian-pickup-points-for-woocommerce
Fixed in 1.9.0.3

References

CVE
CVE-2022-3154
CVE
CVE-2022-41685

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified
Yes
WPVDB ID
cda978b2-b31f-495d-8601-0aaa3e4b45cd

Timeline

Publicly Published
2022-09-14 (about 3 years ago)
Added
2022-09-14 (about 3 years ago)
Last Updated
2022-10-20 (about 3 years ago)

Other

Published
Title
Published
2025-05-07
Title
Accept Donations with PayPal < 1.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2022-01-31
Title
Post Snippets < 3.1.4 - CSRF to Stored Cross-Site Scripting
Published
2023-07-14
Title
WP Testimonials < 1.4.3 - Widget Deletion via CSRF
Published
2022-04-21
Title
VikBooking Hotel Booking Engine & PMS < 1.5.7 - Stored Cross-Site Scripting via CSRF
Published
2025-07-21
Title
CBX Restaurant Booking <= 1.2.1 - Plugin Reset via CSRF