CVE-2025-47451

The Product Quantity Dropdown For Woocommerce plugin for WordPress (versions up to 1.2) contains a Cross-Site Request Forgery (CSRF) vulnerability. This flaw allows an attacker to perform unauthorized actions on behalf of a privileged user, such as changing plugin settings, by tricking the user into clicking a malicious link or visiting a crafted page [1].

Exploitation requires user interaction; the attacker must convince a logged-in administrator or other high-privilege user to take an action, such as clicking a link or submitting a form. The CSRF vulnerability can be triggered without authentication, but the victim must already be authenticated to the WordPress admin panel [1].

Successful exploitation could allow an attacker to modify plugin settings, potentially leading to further compromise of the WooCommerce store's functionality or data. The vulnerability is considered low severity but is part of mass-exploit campaigns targeting WordPress plugins [1].

The issue is resolved in version 1.3 of the plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack recommends enabling auto-updates for vulnerable plugins or contacting their hosting provider for assistance [1].