CVE-2018-11633 – Digital Goods < 2.2 - Cross-Site Request Forgery

https://notcve.org/view.php?id=CVE-2018-11633

An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings. The function woo_checkout_settings_page in the file class-woo-checkout-for-digital-goods-admin.php doesn't do any check against wp-admin/admin-post.php Cross-site request forgery (CSRF) and user capabilities. Se ha descubierto un problema en el plugin Woo Checkout for Digital Goods 2.1 de MULTIDOTS para WordPress. Si se puede engañar a un usuario administrador para que visite una URL manipulada creada por un atacante (mediante phishing dirigido o ingeniería social), el atacante puede cambiar la configuración del plugin. • http://labs.threatpress.com/cross-site-request-forgery-csrf-in-woo-checkout-for-digital-goods-plugin https://wordpress.org/plugins/woo-checkout-for-digital-goods/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •