Title: security vulnerability
Last modified: February 7, 2023

---

# security vulnerability

 *  [orfevre13](https://wordpress.org/support/users/orfevre13/)
 * (@orfevre13)
 * [3 years, 3 months ago](https://wordpress.org/support/topic/security-vulnerability-55/)
 * I use your plug-in and was happy with it, unfortunately it has a critical security
   vulnerability : [https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/side-cart-woocommerce/side-cart-woocommerce-ajax-21-cross-site-request-forgery](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/side-cart-woocommerce/side-cart-woocommerce-ajax-21-cross-site-request-forgery)
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fsecurity-vulnerability-55%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 15 replies - 1 through 15 (of 15 total)

 *  Anonymous User 20889438
 * (@anonymized-20889438)
 * [3 years, 3 months ago](https://wordpress.org/support/topic/security-vulnerability-55/#post-16447301)
 * [@orfevre13](https://wordpress.org/support/users/orfevre13/), CSRF vulnerability
   cannot be critical in the first place. The original source – Patchstack – marked
   this vulnerability as “medium” which is more legit.
 * Fear is big business.
 *  Thread Starter [orfevre13](https://wordpress.org/support/users/orfevre13/)
 * (@orfevre13)
 * [3 years, 3 months ago](https://wordpress.org/support/topic/security-vulnerability-55/#post-16447533)
 * You are right, medium but it still has a security vulnerability with a possible
   serious harm. For the moment I prefer deactivate and delete this plug-in, please
   fix this vulnerability as soon as possible. thank you
 *  [igalbauch](https://wordpress.org/support/users/igalbauch/)
 * (@igalbauch)
 * [3 years, 3 months ago](https://wordpress.org/support/topic/security-vulnerability-55/#post-16447923)
 * When will this be addressed?
 *  [Fortem Digital](https://wordpress.org/support/users/twostrong/)
 * (@twostrong)
 * [3 years, 3 months ago](https://wordpress.org/support/topic/security-vulnerability-55/#post-16448435)
 * I concur, would be good to know when a ‘fix’ might be forthcoming for this?
 *  [Luca](https://wordpress.org/support/users/dharma23/)
 * (@dharma23)
 * [3 years, 3 months ago](https://wordpress.org/support/topic/security-vulnerability-55/#post-16448829)
 * Same here
 *  Plugin Author [xootix](https://wordpress.org/support/users/xootix/)
 * (@xootix)
 * [3 years, 3 months ago](https://wordpress.org/support/topic/security-vulnerability-55/#post-16449658)
 * I don’t know how it is marked as a critical security issue.
   As per their detection,
   the following situation will result in a hack1) You’re logged in as an admin2)
   Someone makes you visit this specific link[http://www.yourwebsite.com/wp-admin/admin.php?page=side-cart-woocommerce-settings&reset=yes](http://www.yourwebsite.com/wp-admin/admin.php?page=side-cart-woocommerce-settings&reset=yes)
   => The consequence of this will be your side cart settings will get reset which
   is basically what “reset button” does now.Still I will issue a patch tomorrow.
 *  [Fortem Digital](https://wordpress.org/support/users/twostrong/)
 * (@twostrong)
 * [3 years, 3 months ago](https://wordpress.org/support/topic/security-vulnerability-55/#post-16449969)
 * Many thanks [@xootix](https://wordpress.org/support/users/xootix/)
 * I’m sure there was an element of WF being somewhat over zealous regards this 
   alert, but I’m sure I speak for everyone when I say I would rather the risk not
   be there at all.
 * Thanks again for your swift action 😊
 *  [espressivo](https://wordpress.org/support/users/espressivo/)
 * (@espressivo)
 * [3 years, 3 months ago](https://wordpress.org/support/topic/security-vulnerability-55/#post-16452015)
 * I agree, looking forward to the patch, even if minor, so it is not being flagged
   and clients aren’t panicking.
 *  [ickurd](https://wordpress.org/support/users/ickurd/)
 * (@ickurd)
 * [3 years, 3 months ago](https://wordpress.org/support/topic/security-vulnerability-55/#post-16453801)
 * <font _mstmutation=”1″></font>I agree, looking forward to the patch
 *  [blankcanvas](https://wordpress.org/support/users/blankcanvas/)
 * (@blankcanvas)
 * [3 years, 3 months ago](https://wordpress.org/support/topic/security-vulnerability-55/#post-16455288)
 * Unfortunately our site is still flagging the plugin as having a critical security
   vulnerability:
 * “**WordPress Side Cart Woocommerce (Ajax) plugin <= 2.1 – Cross-Site Request 
   Forgery (CSRF) vulnerability**“
 * Has any patch been implemented yet? Thanks 👍
 *  [sbernado](https://wordpress.org/support/users/sbernado/)
 * (@sbernado)
 * [3 years, 3 months ago](https://wordpress.org/support/topic/security-vulnerability-55/#post-16456340)
 * Hello! Thank you for your work on this! Much appreciated.
 * I am using version 2.1 and iThemes security is still flagging the plugin with
   a vulnerability.
   WordPress Side Cart Woocommerce (Ajax) plugin <= 2.1 – Cross-
   Site Request Forgery (CSRF) vulnerabilityThanks again!- scott
 *  Plugin Author [xootix](https://wordpress.org/support/users/xootix/)
 * (@xootix)
 * [3 years, 3 months ago](https://wordpress.org/support/topic/security-vulnerability-55/page/2/#post-16456400)
 * Hello,
   I’ve fixed this in the current version. Will soon release the new version.
   You can delete and reinstall the plugin or wait for the new version.The patchstack
   initially reported this and they have marked it as “fixed”[https://patchstack.com/database/vulnerability/side-cart-woocommerce/wordpress-side-cart-woocommerce-ajax-plugin-2-1-cross-site-request-forgery-csrf-vulnerability](https://patchstack.com/database/vulnerability/side-cart-woocommerce/wordpress-side-cart-woocommerce-ajax-plugin-2-1-cross-site-request-forgery-csrf-vulnerability)
   Please do not worry, this vulnerability can do nothing to your site. They just
   mark everything as vulnerable and scare users for nothing.If you’re logged in
   as an admin and if someone asks you to visit a specific link[http://www.yourwebsite.com/wp-admin/admin.php?page=side-cart-woocommerce-settings&reset=yes](http://www.yourwebsite.com/wp-admin/admin.php?page=side-cart-woocommerce-settings&reset=yes)
   It will reset your side cart settings to defaultHow vulnerable is this to be 
   given a 8.8 level threat?
 *  [Fortem Digital](https://wordpress.org/support/users/twostrong/)
 * (@twostrong)
 * [3 years, 3 months ago](https://wordpress.org/support/topic/security-vulnerability-55/page/2/#post-16456604)
 * Thanks [@xootix](https://wordpress.org/support/users/xootix/)
 * Your help is much appreciated!
 *  [rawrly](https://wordpress.org/support/users/rawrly/)
 * (@rawrly)
 * [3 years, 3 months ago](https://wordpress.org/support/topic/security-vulnerability-55/page/2/#post-16456754)
 * Hello all, this is Robert from Patchstack.
 * Foremost, thank you to [@xootix](https://wordpress.org/support/users/xootix/)
   for writing and pushing the patch. CSRF bugs are rarely targeted in the wild,
   but the patch makes your project more complete. Patchstack has updated our records
   to show this plugin is patched and safe to use.
 * Regarding WordFence’s “critical” severity claim. Only WordFence can controls 
   their choice of words. This is not the first case where they take a Low or Medium
   severity risk, and claim it is “critical” to their customers. It is not fair 
   for me to speculate as to why they did this, however I feel I am in agreement
   with most of the posters here like (@twostrong [@espressivo](https://wordpress.org/support/users/espressivo/)
   @fearzzzz and [@orfevre13](https://wordpress.org/support/users/orfevre13/)) that
   this critical warning caused undue stress for the users of this plugin who has
   an attentive developer working on the patch. if you’re interested in clearer 
   security communication, well, maybe look into us.
 * If anyone has any questions on Patchstack’s process of receiving security bugs
   from third parties and how we score them, please feel free to reach out. I’ll
   turn on notifications for this thread.
 * Have a wonderful day. – Robert
 *  [Lautaro Piatti](https://wordpress.org/support/users/pimomedia/)
 * (@pimomedia)
 * [3 years, 1 month ago](https://wordpress.org/support/topic/security-vulnerability-55/page/2/#post-16646448)
 * Hello! It would be great to have a plugin version bump so that we can stop getting
   the patched 2.1 version flagged as insecure by plugins like Wordfence.
 * Regards,
 * Lautaro.

Viewing 15 replies - 1 through 15 (of 15 total)

The topic ‘security vulnerability’ is closed to new replies.

 * ![](https://ps.w.org/side-cart-woocommerce/assets/icon-256x256.gif?rev=3217170)
 * [Side Cart Woocommerce | Woocommerce Cart](https://wordpress.org/plugins/side-cart-woocommerce/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/side-cart-woocommerce/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/side-cart-woocommerce/)
 * [Active Topics](https://wordpress.org/support/plugin/side-cart-woocommerce/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/side-cart-woocommerce/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/side-cart-woocommerce/reviews/)

 * 20 replies
 * 12 participants
 * Last reply from: [Lautaro Piatti](https://wordpress.org/support/users/pimomedia/)
 * Last activity: [3 years, 1 month ago](https://wordpress.org/support/topic/security-vulnerability-55/page/2/#post-16646448)
 * Status: not resolved