vulnerability

WordPress Plugin: ecommerce-product-catalog: CVE-2023-5979: Cross-Site Request Forgery (CSRF)

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:M/Au:N/C:N/I:P/A:P)

Published

Nov 13, 2023

Added

May 15, 2025

Modified

Apr 30, 2026

Description

The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 3.3.26 (exclusive). This is due to missing or incorrect nonce validation when handling product and category settings. This makes it possible for unauthenticated attackers to bulk delete, reset, or reassign products and categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Solution

ecommerce-product-catalog-plugin-cve-2023-5979

References

https://www.cve.org/CVERecord?id=CVE-2023-5979
https://www.wordfence.com/threat-intel/vulnerabilities/id/ba70f811-543f-4da4-ba45-715dbd6be6be?source=api-prod
https://euvd.enisa.europa.eu/vulnerability/EUVD-2023-58246
CVE-2023-5979
https://attackerkb.com/topics/CVE-2023-5979
CWE-352
EUVD-EUVD-2023-58246

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report