WordPress Plugin Vulnerabilities

Event Manager for WooCommerce < 3.7.8 - Cross-Site Request Forgery (CSRF)

Description

The plugin does not protect its uninstall_reason_submission action against CSRF attacks, allowing an unauthenticated attacker to trick a logged in admin to submit a deactivate reason by submitting a crafted request.

Affects Plugins

Plugin icon
mage-eventpress
Fixed in 3.7.8

References

CVE
CVE-2022-47164

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
29ddcfe9-1262-4cad-82c3-58dac5c16a2c

Timeline

Publicly Published
2023-03-16 (about 1 years ago)
Added
2023-05-29 (about 11 months ago)
Last Updated
2023-05-29 (about 11 months ago)

Other

Published
Title
Published
2023-11-02
Title
WP Google My Business Auto Publish < 3.8 - Multiple CSRF
Published
2021-10-04
Title
Paypal Donation < 1.3.1 - CSRF to Stored Cross-Site Scripting
Published
2022-07-04
Title
Name Directory < 1.25.4 - Stored Cross-Site Scripting via CSRF
Published
2023-05-24
Title
Booking Ultra Pro < 1.1.7 - Cross-Site Request Forgery
Published
2021-06-30
Title
Journey Analytics < 1.0.13 - Unauthorised AJAX call via CSRF