CVE-2025-48342

Vulnerability

Overview

The Dynamic Pricing & Discounts Lite for WooCommerce plugin (woo-dynamic-pricing-discounts-lite) versions up to and including 2.0.4 are vulnerable to Cross-Site Request Forgery (CSRF). This issue originates from insufficient validation of request origins, allowing an attacker to trick authenticated users into executing unintended actions.

Exploitation

Conditions

Exploitation requires user interaction: a privileged user must click a malicious link, visit a crafted page, or submit a malicious form. The attacker does not need authentication but relies on the victim's active session. The CSRF can be initiated by any role, but successful exploitation depends on the victim having higher privileges (e.g., admin or shop manager).

Impact

A successful CSRF attack can force the victim to carry out unauthorized actions under their current authentication level. This may include modifying plugin settings, altering pricing rules, or performing other administrative operations, potentially leading to data integrity compromise or further attacks.

Mitigation

The vendor has not released a patch as of the publication date. Immediate action recommended: update the plugin if a patched version becomes available. As a workaround, implement additional CSRF protections such as nonce validation or employ a Web Application Firewall (WAF). The vulnerability is rated Medium (CVSS 5.4) and is known to be used in mass-exploit campaigns [1].