Vulnerable Software Report | WordPress.org

Resolved asw
(@astreetweb)

1 month, 1 week ago

Cross-Site Request Forgery to Settings Update vulnerability discovered in WordPress Plugin Hide Categories Or Products On Shop Page (versions <= 1.0.7)

The Hide Categories Or Products On Shop Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7. This is due to missing or incorrect nonce validation on the save_data_hcps() function. This makes it possible for unauthenticated attackers to update the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Author Bastien Ho
(@bastho)

1 month ago

Hi,

It seems that you mention another plugin. Hide Categories and Products for Woocommerce‘s last version is 1.2.10 and do not have save_data_hcps() function

Thread Starter asw
(@astreetweb)

1 month ago

You are right. It was this one which has been closed.
https://wordpress.org/plugins/hide-categories-or-products-on-shop-page/

I am glad it is not yours.

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

2 replies
2 participants
Last reply from: asw
Last activity: 1 month ago
Status: resolved