Ecwid Ecommerce Shopping Cart < 6.12.5 – Arbitrary Plugin Settings Change via CSRF | CVE 2023-6292 | Plugin Vulnerabilities

Description

The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

Proof of Concept

http://vulnerable-site.tld/wp-admin/admin-ajax.php?action=ecwid_storefront_set_page_slug&slug=hehehehe

Besides, you can disable the store via the ecwid_storefront_set_status action.

The list of affected AJAX actions include:

- ecwid_storefront_set_status
- ecwid_storefront_set_store_on_front
- ecwid_storefront_set_display_cart_icon
- ecwid_storefront_set_page_slug
- ecwid_storefront_set_mainpage
- ecwid_storefront_create_page
- ecwid-save-spw-params

Affects Plugins

ecwid-shopping-cart

Fixed in 6.12.5

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając (CERT PL)

Submitter

Krzysztof Zając (CERT PL)

Submitter website

https://cert.pl

Submitter twitter

Verified

Yes

WPVDB ID

d4cf799e-2571-4b96-a303-78dcafbfcf40

Timeline

Publicly Published

2023-11-21 (about 2 years ago)

Added

2023-12-05 (about 2 years ago)

Last Updated

2023-12-05 (about 2 years ago)

Other

Published

Title

Published

2023-06-02

Title

Multiple plugins by vcita - CSRF to Stored XSS in settings page

Published

2025-01-16

Title

Send to Twitter <= 1.7.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Published

2025-01-24

Title

WP Fast Total Search < 1.79.262 - Cross-Site Request Forgery

Published

2022-10-20

Title

Simple SEO < 1.8.13 - Sitemap Creation/Deletion via CSRF

Published

2025-02-13

Title

Simple Documentation <= 1.2.8 - Cross-Site Request Forgery to Stored Cross-Site Scripting