The Premium Packages – Sell Digital Products Securely...
Moderate severity
Unreviewed
Published
Sep 25, 2024
to the GitHub Advisory Database
•
Updated Sep 25, 2024
Description
Published by the National Vulnerability Database
Sep 25, 2024
Published to the GitHub Advisory Database
Sep 25, 2024
Last updated
Sep 25, 2024
The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.1. This is due to missing nonce validation on the wpdmpp_async_request() function. This makes it possible for unauthenticated attackers to perform actions such as initiating refunds via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.
References