Vulnerability Description
An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings. The function woo_checkout_settings_page in the file class-woo-checkout-for-digital-goods-admin.php doesn't do any check against wp-admin/admin-post.php Cross-site request forgery (CSRF) and user capabilities.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Multidots | Woo Checkout For Digital Goods | 2.1 |
Related Weaknesses (CWE)
References
- http://labs.threatpress.com/cross-site-request-forgery-csrf-in-woo-checkout-for-ExploitThird Party Advisory
- https://wordpress.org/plugins/woo-checkout-for-digital-goods/#developersRelease Notes
- http://labs.threatpress.com/cross-site-request-forgery-csrf-in-woo-checkout-for-ExploitThird Party Advisory
- https://wordpress.org/plugins/woo-checkout-for-digital-goods/#developersRelease Notes
FAQ
What is CVE-2018-11633?
CVE-2018-11633 is a vulnerability with a CVSS score of 6.5 (MEDIUM). An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing...
How severe is CVE-2018-11633?
CVE-2018-11633 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-11633?
Check the references section above for vendor advisories and patch information. Affected products include: Multidots Woo Checkout For Digital Goods.