CVE-2023-6625 — Cross-Site Request Forgery in Product Enquiry FOR Woocommerce

CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 82.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gravitymaster Product Enquiry FOR Woocommerce

Timeline

PublishedJan 22

Description

The Product Enquiry for WooCommerce WordPress plugin before 3.1 does not have a CSRF check in place when deleting inquiries, which could allow attackers to make a logged in admin delete them via a CSRF attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶NVDgravitymaster/product_enquiry< 3.1

🔴Vulnerability Details

GHSA

GHSA-wpjc-hhm5-vq6r: The Product Enquiry for WooCommerce WordPress plugin before 3↗2024-01-22

▶

CVEList

Product Enquiry for WooCommerce < 3.1 - Arbitrary Enquiry Deletion via CSRF↗2024-01-22

▶