WordPress Plugin Vulnerabilities

Facebook for WooCommerce < 1.9.15 - CSRF allowing Option Update

Description

The original issue has been fixed via 1.9.14.

However, as additional CSRF checks have been implemented in 1.9.15, the fixed in has been set to 1.9.15

Affects Plugins

Plugin icon
facebook-for-woocommerce
Fixed in 1.9.15

References

CVE
CVE-2019-15841
CVE
CVE-2019-15840
URL
https://www.zdnet.com/article/disgruntled-security-firm-discloses-zero-days-in-facebooks-wordpress-plugins/
URL
https://plugins.trac.wordpress.org/changeset?reponame=&new=2109894%40facebook-for-woocommerce&old=2102444%40facebook-for-woocommerce

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.8 (high)

Miscellaneous

Verified
No
WPVDB ID
dbbcccd7-533a-4ab7-af64-c86bf3e2b677

Timeline

Publicly Published
2019-06-18 (about 6 years ago)
Added
2019-06-19 (about 6 years ago)
Last Updated
2020-09-22 (about 5 years ago)

Other

Published
Title
Published
2023-03-16
Title
WP Shortcode by MyThemeShop < 1.4.17 - CSRF
Published
2023-01-19
Title
SRS Simple Hits Counter < 1.1.1 - Settings Update via CSRF
Published
2024-11-22
Title
Google Plus Share and +1 Button <= 1.0 - Cross-Site Request Forgery
Published
2025-04-11
Title
Webcraftic Clearfy – WordPress optimization plugin < 2.3.2 - Cross-Site Request Forgery to Clear Cache
Published
2025-02-03
Title
WP Admin Custom Page <= 1.5.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting