Decorator – WooCommerce Email Customizer < 1.2.8 – Cross-Site Request Forgery | CVE 2023-48284 | Plugin Vulnerabilities

Description

The Decorator – WooCommerce Email Customizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.7. This is due to missing nonce validation on several functions such as ajax_reset(), wt_decorator_button_text(), wt_decorator_set_as_default(), and more. This makes it possible for unauthenticated attackers to modify several settings from the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

decorator-woocommerce-email-customizer

Fixed in 1.2.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/db664d0a-a58d-4d8b-ae0a-074f32d8710c

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

thiennv

Verified

No

WPVDB ID

047e0954-53cd-4f7c-af3f-f24f1b0dfc33

Timeline

Publicly Published

2023-11-02 (about 6 months ago)

Added

2023-11-28 (about 5 months ago)

Last Updated

2024-01-22 (about 3 months ago)

Other

Published

Title

Published

2024-01-19

Title

VK Block Patterns < 1.31.2.0 - Cross-Site Request Forgery

Published

2024-02-02

Title

PowerPack Pro for Elementor < 2.10.8 - Cross-Site Request Forgery to Plugin Settings Modification and Cross-Site Scripting

Published

2023-09-11

Title

WooCommerce Subscriptions < 4.6.0 - Subscription Suspension/Activation via CSRF

Published

2024-04-10

Title

Calendarista Basic Edition < 3.0.3 - Cross-Site Request Forgery

Published

2016-02-10

Title

Duplicator <= 1.1.3 - Cross-Site Request Forgery (CSRF)