CVE-2024-31262

Vulnerability

The WooCommerce Checkout Field Editor (Checkout Manager) plugin for WordPress, versions from n/a through 2.1.8, contains a Cross-Site Request Forgery (CSRF) vulnerability [1]. This flaw occurs because the plugin does not properly validate or verify requests made by authenticated users, allowing an attacker to craft malicious links or forms that, when clicked or submitted by a privileged user, perform unintended actions under that user's session [1].

Exploitation

Exploitation requires user interaction: a higher-privileged user (such as an administrator) must click a crafted link, visit a specially prepared page, or submit a malicious form [1]. No authentication is needed on the attacker's part, but the victim must be logged into the WordPress site with sufficient privileges. The CSRF attack can be initiated by any unauthenticated user [1].

Impact

Successful exploitation enables an attacker to force a privileged user to execute unwanted actions within the plugin, such as modifying checkout fields or changing settings, under the victim's current authentication. According to Patchstack, the severity is medium (CVSS 5.4) but is considered low risk in practice and unlikely to be exploited at scale [1].

Mitigation

The vulnerability is patched in version 2.1.9 of the plugin. Users are strongly advised to update immediately [1]. For Patchstack users, enabling auto-update for vulnerable plugins will automatically apply the fix [1]. If updating is not possible, contact a hosting provider or developer for assistance [1].