Gorilla kingdom slot download,zone online casino games.Recharge Every day and Get Bonus up-to 50%!

Resolved warby15
(@warby15)

1 year, 4 months ago

WordPress WooCommerce Product Table Lite plugin <= 2.6.2 – Cross Site Request Forgery (CSRF) vulnerability

Is this something to be concerned about? thanks

Viewing 5 replies - 1 through 5 (of 5 total)

Plugin Author WC Product Table
(@wcproducttable)

1 year, 4 months ago

Thank you for using my plugin WooCommerce Product Table Lite and writing in with your query.

The plugin has no known vulnerabilities and is written with all wordpress security standards in mind taking precaution to avoid such an issue.

If you are seeing a security warning from another security plugin then I will be happy to look into this. It could be a false positive or if there is an actual vulnerability I will address it asap.

I cannot check the link you have provided as it leads to a backend page on your site and one needs to be logged in to access it.

Please write in via the plugin support form so we may discuss this matter further and resolve any issue asap.

puregraphx
(@puregraphx)

1 year, 4 months ago

Not a false positive, please check https://patchstack.com/database/vulnerability/wc-product-table-lite/wordpress-woocommerce-product-table-lite-plugin-2-6-2-cross-site-request-forgery-csrf-vulnerability

Plugin Author WC Product Table
(@wcproducttable)

1 year, 4 months ago

@puregraphx Not a false positive, how?

I have checked the link that you sent me and can see that there is a ‘claim’ of a vulnerability, but no ‘proof’. Do you personally know where this vulnerability can be found in the code? Do you see any proof on the site?

I have contacted the site requesting any further information on this claimed vulnerability. Until they can provide any concrete proof of the same this is simply a claim and can very well be a false positive at their end.

If they can provide further useful information on their claim that helps pinpoint the issue I will fix it asap.

@warby15 has kindly contacted me directly but they have pointed to the same link as you. No further context has been added on the matter. I am awaiting a response from the site claiming the vulnerability. If they can provide any useful lead I will take action on it immediately and release an update.

I can assure you that I can and will fix any proven issue with the plugin. But I cannot fix ‘claims’.

inceweb
(@inceweb)

1 year, 4 months ago

Also being reported by Wordfence (same CVE-2023-47519 via patchstack.com):

WooCommerce Product Table Lite <= 2.6.2 – Cross-Site Request Forgery (wordfence.com)

The description isn’t terribly helpful:

“The WooCommerce Product Table Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.6.2. This is due to missing or incorrect nonce validation on an unknown function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.”

I note that the same researcher has posted dozens of CSRF and XSS vulnerabilities in the past past few weeks, which may be output from an automated scanning tool.

In answer to warby15’s question “Is this something to be concerned about?” – as an alert WordPress admin, probably not.

Plugin Author WC Product Table
(@wcproducttable)

1 year, 4 months ago

The plugin has been updated and this vulnerability has been fixed in the current v3.1.0 which is ready for download. Thank you for your patience!

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Vulnerability flagged by Solid Security’ is closed to new replies.