A Cross-Site Request Forgery (CSRF) vulnerability has been discovered in the WordPress Custom My Account for Woocommerce plugin. This vulnerability could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication.

This vulnerability was discovered and reported by qilin_99.

The vulnerability is caused by a lack of CSRF protection in the plugin’s code. This allows an attacker to create a malicious link that, when clicked by a higher privileged user, will force the user to take an unwanted action.

Severity:

7.1 High severity CVSS 3.1 score

Affected Versions:

All versions of the WordPress Custom My Account for Woocommerce plugin are affected by this vulnerability.

Impact:

An attacker who successfully exploits this vulnerability could force higher privileged users to take actions that they did not intend to take. This could include changing account settings, making purchases, or even deleting accounts.

Recommendation:

Due to the critical nature of this vulnerability, prompt measures are essential:

  1. Temporary Deactivation: To minimize the risk of exploitation, consider temporarily deactivating the Custom My Account for WooCommerce Plugin. This step should be taken until a patched version becomes available.
  2. Plugin Updates: Be vigilant for updates regarding the Custom My Account for WooCommerce Plugin. Once a fixed version that addresses this vulnerability is released, promptly update the plugin to the latest version.
  3. Security Review: Following the application of updates, conduct a comprehensive security review of the WordPress website to ensure the vulnerability has been effectively rectified.
  4. Monitoring and Scanning: Maintain regular monitoring of the website for unusual activities and perform security scans to identify potential issues.
  5. Stay Informed: Stay informed about the latest developments concerning the Custom My Account for WooCommerce Plugin, including updates regarding the vulnerability and the release of a patched version.