WooCommerce Pre-Orders < 2.0.3 – Arbitrary Pre-Order Canceling via CSRF | CVE 2023-3507 | Plugin Vulnerabilities

Description

The plugin has a flawed CSRF check when canceling pre-orders, which could allow attackers to make logged in admins cancel arbitrary pre-orders via a CSRF attack

Proof of Concept

Make a logged in admin open the URL below (42 being a pre-order to be canceled)

https://example.com/wp-admin/admin.php?page=wc_pre_orders&action=cancel_pre_order&order_id=42

Affects Plugins

woocommerce-pre-orders

Fixed in 2.0.3

References

CVE

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

e72bbe9b-e51d-40ab-820d-404e0cb86ee6

Timeline

Publicly Published

2023-07-10 (about 2 years ago)

Added

2023-07-10 (about 2 years ago)

Last Updated

2023-07-10 (about 2 years ago)

Other

Published

Title

Published

2024-05-29

Title

WP To Do <= 1.3.0 - Cross-Site Request Forgery via wptodo_settings

Published

2025-03-27

Title

Currency Switcher for WooCommerce < 0.0.8 - Cross-Site Request Forgery

Published

2023-05-24

Title

Flickr Justified Gallery <= 3.5 - Cross-Site Request Forgery

Published

2023-02-06

Title

ShopLentor < 2.5.2 - Settings Update via CSRF

Published

2024-12-11

Title

I Plant A Tree < 1.7.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting