Cross-Site Request Forgery Vulnerability in ShipWorks Connector for WooCommerce by WordPress
CVE-2024-13317

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Shipworks Connector For WooCommerce
Vendor: CVE Published:; 18 January 2025

Summary

The ShipWorks Connector for WooCommerce plugin for WordPress has a vulnerability that allows unauthenticated attackers to exploit missing or incorrect nonce validation on the 'shipworks-wordpress' page. By tricking a site administrator into performing an action, such as clicking a malicious link, an attacker can update the service's username and password without authorization. This highlights the importance of implementing proper nonce validation to safeguard against CSRF attacks.

Affected Version(s)

ShipWorks Connector for Woocommerce * <= 5.2.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Jan 18, 2025
Vulnerability Reserved
Jan 9, 2025

Credit

SOPROBRO