Login Sign Up

CVE-2023-1087

4.3 MEDIUM
CSRF

📋 TL;DR

This vulnerability in the WC Sales Notification WordPress plugin allows attackers to trick logged-in administrators into activating arbitrary plugins via Cross-Site Request Forgery (CSRF) attacks. Attackers can exploit this by sending malicious requests that appear legitimate, potentially enabling malicious plugins. Only WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • WC Sales Notification WordPress Plugin
Versions: All versions before 1.2.3
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with the vulnerable plugin and an authenticated admin user who can be tricked into clicking a malicious link.

📦 What is this software?

Wc Sales Notification by Hasthemes

View all CVEs affecting Wc Sales Notification →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could activate malicious plugins that provide persistent backdoors, execute arbitrary code, steal sensitive data, or take full control of the WordPress site.

🟠

Likely Case

Attackers would activate plugins that perform reconnaissance, create admin accounts, or deploy web shells for further exploitation.

🟢

If Mitigated

With proper CSRF protections and plugin vetting, the attack would fail or only activate benign plugins with limited impact.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires social engineering to trick an admin into clicking a malicious link while authenticated. No authentication bypass is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.3

Vendor Advisory: https://wpscan.com/vulnerability/356c89a1-81b6-4600-9291-1a74788af7f9

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WC Sales Notification' and check if version is below 1.2.3. 4. Click 'Update Now' if available, or delete and reinstall from WordPress repository.

🔧 Temporary Workarounds

Implement CSRF Protection Manually

all

Add nonce verification to plugin activation requests in the plugin code.

Edit plugin PHP files to include wp_verify_nonce() checks on activation endpoints

Restrict Plugin Installation

all

Prevent installation of new plugins and limit existing plugins to trusted sources only.

Define DISALLOW_FILE_MODS constant in wp-config.php: define('DISALLOW_FILE_MODS', true);

🧯 If You Can't Patch

  • Remove the WC Sales Notification plugin entirely if not needed.
  • Implement web application firewall (WAF) rules to block CSRF attacks targeting plugin activation endpoints.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WC Sales Notification version. If version is below 1.2.3, the site is vulnerable.

Check Version:

wp plugin list --name='wc-sales-notification' --field=version (if WP-CLI is installed)

Verify Fix Applied:

After updating, verify the plugin version shows 1.2.3 or higher in the WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

  • Unusual plugin activation events in WordPress logs
  • Multiple plugin activation requests from same IP in short time

Network Indicators:

  • HTTP POST requests to /wp-admin/admin-ajax.php with action=activate-plugin without proper referrer headers

SIEM Query:

source="wordpress.log" AND "activate-plugin" AND NOT referrer="*wp-admin*"

📊 Metadata

CVE ID: CVE-2023-1087
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Published: March 27, 2023
Last Updated: February 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON