Login Sign Up

CVE-2023-34386

8.8 HIGH
Authentication Bypass CSRF

📋 TL;DR

This CSRF vulnerability in WPC Smart Wishlist for WooCommerce allows attackers to trick authenticated users into performing unintended actions on their behalf. It affects WordPress sites using the vulnerable plugin version. Users with administrative or customer accounts could be targeted.

💻 Affected Systems

Products:
  • WPC Smart Wishlist for WooCommerce
Versions: <= 4.7.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress with WooCommerce installed. The vulnerability exists in the plugin's CSRF protection implementation.

📦 What is this software?

Wpc Smart Wishlist For Woocommerce by Wpclever

View all CVEs affecting Wpc Smart Wishlist For Woocommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrators could be tricked into changing plugin settings, modifying user permissions, or performing other administrative actions without their consent.

🟠

Likely Case

Attackers could manipulate wishlist contents, add/remove products, or perform other user-level actions on behalf of authenticated users.

🟢

If Mitigated

With proper CSRF protections, requests would require valid tokens, preventing unauthorized actions even if users are tricked into clicking malicious links.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

CSRF attacks typically require social engineering to trick authenticated users into visiting malicious pages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.7.2

Vendor Advisory: https://patchstack.com/database/vulnerability/woo-smart-wishlist/wordpress-wpc-smart-wishlist-for-woocommerce-plugin-4-6-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WPC Smart Wishlist for WooCommerce. 4. Click 'Update Now' if available. 5. Alternatively, download version 4.7.2+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Implement CSRF Protection

all

Add custom CSRF tokens to plugin forms if immediate patching isn't possible

Disable Plugin

linux

Temporarily disable the plugin until patched

wp plugin deactivate woo-smart-wishlist

🧯 If You Can't Patch

  • Implement web application firewall rules to detect CSRF patterns
  • Use browser security extensions that block CSRF attempts

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins

Check Version:

wp plugin get woo-smart-wishlist --field=version

Verify Fix Applied:

Confirm plugin version is 4.7.2 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to wishlist endpoints without referrer validation
  • Multiple failed CSRF token validations

Network Indicators:

  • Cross-origin requests to wishlist endpoints
  • POST requests without proper CSRF headers

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "wishlist") AND http_method="POST" AND referrer NOT CONTAINS domain

📊 Metadata

CVE ID: CVE-2023-34386
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: November 9, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-34386, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)