The plugin has a flawed CSRF check when canceling pre-orders, which could allow attackers to make logged in admins cancel arbitrary pre-orders via a CSRF attack
Make a logged in admin open the URL below (42 being a pre-order to be canceled) https://example.com/wp-admin/admin.php?page=wc_pre_orders&action;=cancel_pre_orderℴ_id=42
CPE | Name | Operator | Version |
---|---|---|---|
woocommerce-pre-orders | lt | 2.0.3 |