Cross-Site Request Forgery in BEAR for WordPress Affects Unauthenticated Users
CVE-2023-4926
5.4MEDIUM
Key Information:
- Vendor
- Realmag777
- Status
- Bear – Bulk Editor And Products Manager Professional For WooCommerce By Pluginus.net
- Vendor
- CVE Published:
- 20 October 2023
Summary
The BEAR plugin for WordPress is affected by a Cross-Site Request Forgery (CSRF) vulnerability due to insufficient nonce validation in the woobe_bulk_delete_products function. This flaw could allow unauthenticated attackers to exploit the vulnerability by tricking site administrators into executing forged requests. As a result, attackers may delete products from the site without proper authorization, posing a significant risk to site integrity and content management.
Affected Version(s)
BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net * <= 1.1.3.3
References
CVSS V3.1
Score:
5.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Marco Wotschka