The U.S government National Vulnerability Database (NVD) released warnings of vulnerabilities in 5 WooCommerce WordPress plugins impacting over 135,000 setups.
Much of the vulnerabilities range in intensity to as high as Vital and rated 9.8 on a scale of 1-10.
Every vulnerability was designated a CVE identity number (Typical Vulnerabilities and Exposures) provided to discovered vulnerabilities.
1. Advanced Order Export For WooCommerce
The Advanced Order Export for WooCommerce plugin, installed in over 100,000 sites, is vulnerable to a Cross-Site Demand Forgery (CSRF) attack.
A Cross-Site Request Forgery (CSRF) vulnerability emerges from a flaw in a website plugin that permits an assaulter to deceive a website user into carrying out an unintentional action.
Website browsers usually include cookies that tell a site that a user is registered and visited. An enemy can assume the benefit levels of an admin. This gives the enemy complete access to a site, exposes sensitive customer info, and so on.
This specific vulnerability can cause an export file download. The vulnerability description doesn’t explain what file can be downloaded by an assailant.
Given that the plugin’s function is to export WooCommerce order information, it may be sensible to assume that order data is the kind of file an attacker can gain access to.
The official vulnerability description:
“Cross-Site Demand Forgery (CSRF) vulnerability in Advanced Order Export For WooCommerce plugin