AllSEO

WooCommerce WordPress Plugin - CVE-2022-43491

However, there is no update available for users at this time. The US government's National Vulnerability Database has published warnings about vulnerabilities in five WooCommerce WordPress plugins, some of which are rated as high as 9.8 on a scale of 1 to 10. The Advanced Order Export for WooCommerce plugin, which is installed on over 100,000 websites, is vulnerable to a Cross-Site Request Forgery (CSRF) attack that could allow an export file to be downloaded. The official changelog for the plugin notes that the vulnerability was patched in version 3.3.2.2, but there is no update available for users at this time. This allows remote users to execute arbitrary code on the target systems. The NVD has not assigned a CVE number to this vulnerability. The National Vulnerability Database (NVD) has given the second Cross-Site Request Forgery (CSRF) vulnerability in the Advanced Dynamic Pricing for WooCommerce plugin a CVE (Common Vulnerabilities and Exposures) number, CVE-2022-43491. The NVD is a U.S. government repository of standards-based vulnerability management data represented using the Standard Generalized Markup Language (SGML). The official NVD description of the CVE-2022-43491 vulnerability is: “Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic. Pricing for. WooCommerce Coupons has over 10,000 installs. The fourth affected software is the WooCommerce Dropshipping by OPMC plugin which has over 3,000 installations. Versions of this plugin less than version 4.4 contain an Unauthenticated. SQL injection vulnerability rated 9.8 (on a scale of 1-10) and labeled as Critical. This allows remote users to execute arbitrary code on the target systems. The NVD has not assigned a CVE number to this vulnerability. The Role Based Pricing for WooCommerce plugin contains two Cross-Site Request Forgery (CSRF) vulnerabilities. This plugin is installed on 2,000 websites. A CSRF vulnerability usually occurs when an attacker tricks an administrator or other user into clicking on a link or taking some other action. The official plugin changelog recommends that the plugin is fully patched in version 1.6.2: "It is also advisable to back up the site before making any plugin updates and to stage the site and test the plugin before updating".

(source: https://www.searchenginejournal.com/woocommerce-vulnerabilities/470996/)