The U.S government National Vulnerability Database (NVD) published warnings of vulnerabilities in five WooCommerce WordPress plugins impacting over 135,000 installations.
Many of the vulnerabilities range in seriousness to as high as Vital and rated 9.8 on a scale of 1-10.
Every vulnerability was assigned a CVE identity number (Common Vulnerabilities and Direct exposures) given to discovered vulnerabilities.
1. Advanced Order Export For WooCommerce
The Advanced Order Export for WooCommerce plugin, installed in over 100,000 websites, is susceptible to a Cross-Site Demand Forgery (CSRF) attack.
A Cross-Site Demand Forgery (CSRF) vulnerability occurs from a flaw in a site plugin that permits an assailant to deceive a site user into performing an unexpected action.
Site web browsers usually consist of cookies that tell a site that a user is registered and logged in. An opponent can assume the advantage levels of an admin. This gives the opponent full access to a website, exposes delicate client info, and so on.
This specific vulnerability can cause an export file download. The vulnerability description does not explain what file can be downloaded by an assailant.
Given that the plugin’s function is to export WooCommerce order information, it might be affordable to presume that order information is the kind of file an aggressor can gain access to.
The official vulnerability description:
“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Order Export For WooCommerce plugin