Cross-Site Request Forgery Vulnerability in BEAR for WordPress Plugin
CVE-2023-4920

8.8HIGH

Key Information:

Vendor
Wordpress
Status
BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net
Vendor
CVE Published:
20 October 2023

Summary

The BEAR for WordPress plugin is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability due to inadequate nonce validation in the woobe_save_options function. This flaw allows unauthenticated attackers to manipulate the plugin's settings by tricking site administrators into executing unintended actions, such as clicking on crafted links. Furthermore, the plugin's insufficient input sanitization creates opportunities for malicious script injection, further compromising the security of the affected website.

Affected Version(s)

BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net * <= 1.1.3.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/woo-bulk-edito...
https://plugins.trac.wordpress.org/changeset/2970262/woo-...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Marco Wotschka
.