Description The plugin does not have CRSF check when deleting a shipment, allowing attackers to make any logged in user, delete arbitrary shipment via a CSRF attack
Make any logged in user open https://example.com/wp-admin/admin-post.php?action=multiparcels_delete_shipping&id;=1 to make them delete the shipment with ID 1
CPE | Name | Operator | Version |
---|---|---|---|
multiparcels-shipping-for-woocommerce | eq | 1.15.2 |