Cross-site request forgery (CSRF) in Woo Checkout for Digital Goods plugin <= 2.1

This plugin is vulnerable to a Cross-site request forgery (CSRF) vulnerability. Admin user can be tricked to visit a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings.

This function woo_checkout_settings_page, In file class-woo-checkout-for-digital-goods-admin.php doesn’t do any check against Cross-site request forgery (CSRF) and user capabilities.

Proof Of Concept:

Leave a Reply

Your email address will not be published. Required fields are marked *