Cross-Site Request Forgery Vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart for WordPress
CVE-2024-13795
4.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 18 February 2025
What is CVE-2024-13795?
The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is affected by a Cross-Site Request Forgery vulnerability in versions up to and including 6.12.27. This security flaw arises from inadequate nonce validation within the ecwid_deactivate_feedback() function. As a result, unauthorized attackers can potentially exploit this issue to send deactivation messages masquerading as a site owner. This exploitation requires the attacker to deceive a site administrator into executing an action, such as clicking a specially crafted link, thereby facilitating an unauthorized request.
Affected Version(s)
Ecwid by Lightspeed Ecommerce Shopping Cart * <= 6.12.27