Description The plugin does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
http://vulnerable-site.tld/wp-admin/admin-ajax.php?action=ecwid_storefront_set_page_slug&slug;=hehehehe Besides, you can disable the store via the ecwid_storefront_set_status action. The list of affected AJAX actions include: - ecwid_storefront_set_status - ecwid_storefront_set_store_on_front - ecwid_storefront_set_display_cart_icon - ecwid_storefront_set_page_slug - ecwid_storefront_set_mainpage - ecwid_storefront_create_page - ecwid-save-spw-params