Cross-Site Request Forgery Vulnerability in SMS for WooCommerce Plugin
CVE-2024-12220

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Sms For WooCommerce
Vendor: CVE Published:; 17 December 2024

Summary

CVE-2024-12220 identifies a critical Cross-Site Request Forgery (CSRF) vulnerability in the SMS for WooCommerce plugin for WordPress. This security flaw, present in all versions up to and including 2.8.1, stems from inadequate nonce validation in certain functions. As a result, unauthenticated attackers can exploit this vulnerability by crafting forged requests. If a site administrator inadvertently clicks a malicious link, the attacker could execute harmful actions on behalf of the administrator, potentially leading to severe security breaches. It is essential for users of this plugin to update to a patched version immediately to safeguard their WordPress installations from attacks.

Affected Version(s)

SMS for WooCommerce * <= 2.8.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/wc-sms/#developers

https://plugins.trac.wordpress.org/changeset/3207316/

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 17, 2024
Vulnerability Reserved
Dec 4, 2024

Credit

Dale Mavers