Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
http://vulnerable-site.tld/wp-admin/admin-ajax.php?action=ecwid_storefront_set_page_slug&slug=hehehehe
Besides, you can disable the store via the ecwid_storefront_set_status action.
The list of affected AJAX actions include:
- ecwid_storefront_set_status
- ecwid_storefront_set_store_on_front
- ecwid_storefront_set_display_cart_icon
- ecwid_storefront_set_page_slug
- ecwid_storefront_set_mainpage
- ecwid_storefront_create_page
- ecwid-save-spw-params