CVE-2024-12771

Published: Sat 21 Dec 2024

CVE-2024-12771

The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.43. This is due to missing or incorrect nonce validation on the 'customer_panel_password_reset' function. This makes it possible for unauthenticated attackers to reset the password of any administrator or customer account via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

References (Advisories, Solutions, and Tools):

https://plugins.trac.wordpress.org/browser/ecommerce-product-catalog/trunk/modules/cart/includes/customers/includes/transactions/customer-panel.php#L108
https://plugins.trac.wordpress.org/browser/ecommerce-product-catalog/trunk/modules/cart/includes/customers/includes/transactions/customer-panel.php#L44
https://plugins.trac.wordpress.org/changeset/3210939/
https://www.wordfence.com/threat-intel/vulnerabilities/id/3513ec24-0b1b-4528-9f89-eee5654e4e98?source=cve

Note: This product uses data from the NVD API but is not endorsed or certified by the NVD.

Join our newsletter!

Click to subscribe

Stay informed with product updates and security tips delivered to your inbox; no spam.

Advisory Details

CVE-2024-12771

References (Advisories, Solutions, and Tools):

Join our newsletter!