Does 4.7.1 address security vulnerability in 4.7.0?

  • Here’s the security vulnerability reported in 4.7.0:

    Description

    The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.7.0. This is due to missing or incorrect nonce validation on the wishlist_add and wishlist_remove functions. This makes it possible for unauthenticated attackers to add or remove wishlist items via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

    References

    Has this vulnerability been fixed in 4.7.1? The changelog just says “Fixed: Minor JS/CSS issues in the backend” which is a little vague.

Viewing 1 replies (of 1 total)
  • nonchiedercilaparola

    (@nonchiedercilaparola)

    From last wpmudev defender scan: “

    “CVSS
    #WordPress WPC Smart Wishlist for WooCommerce plugin <= 4.7.1 – Cross Site Request Forgery (CSRF) vulnerability
    -Vulnerability type: Cross Site Request Forgery (CSRF)
    -No Update Available”

    so i supose that 4.7.1 isn’t enough:(

Viewing 1 replies (of 1 total)
  • The topic ‘Does 4.7.1 address security vulnerability in 4.7.0?’ is closed to new replies.