Flexible Wishlist for WooCommerce Cross-Site Request Forgery Vulnerability
Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later plugin for WordPress, affecting all versions through 1.2.26. The vulnerability arises from inadequate nonce validation in several functions, allowing unauthenticated attackers to manipulate other users' wishlists. Exploitation requires tricking a site administrator into clicking a link that initiates the forged request.
Impact
Exploitation of this vulnerability allows for unauthorized modification, updating, or creation of wishlists on behalf of other users.
Reproduction
To reproduce this vulnerability, an attacker must craft a request that exploits the missing nonce validation. This can be done by tricking an administrator into clicking a link that sends the forged request, using social engineering tactics to bypass the lack of authentication requirements.
Remediation
Users are advised to update the Flexible Wishlist for WooCommerce plugin to version 1.2.27 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.