CVE-2024-13774
📋 TL;DR
This CSRF vulnerability in the Wishlist for WooCommerce plugin allows attackers to trick administrators into performing unintended actions, potentially leading to malicious script injection or settings modification. All WordPress sites using this plugin up to version 3.1.7 are affected. Attackers can exploit this without authentication by crafting malicious requests.
💻 Affected Systems
- Wishlist for WooCommerce: Multi Wishlists Per Customer WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Site takeover through admin account compromise, data theft, or complete defacement via injected malicious scripts
Likely Case
Unauthorized settings changes, injection of advertising or phishing scripts, or data manipulation
If Mitigated
Limited impact with proper CSRF protections and admin awareness training
🎯 Exploit Status
CSRF attacks are well-understood and easy to weaponize; requires social engineering to trick admin
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.8 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find 'Wishlist for WooCommerce'
4. Click 'Update Now' if available
5. If no update available, download version 3.1.8+ from WordPress repository
6. Deactivate, delete old version, upload and activate new version
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate wish-list-for-woocommerce
CSRF Protection via .htaccess
linuxAdd CSRF protection headers at web server level
Header set X-Frame-Options "SAMEORIGIN"
Header set Content-Security-Policy "frame-ancestors 'self'"
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to limit script execution
- Use web application firewall (WAF) rules to block suspicious POST requests to wishlist endpoints
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed PluginsCheck Version:
wp plugin get wish-list-for-woocommerce --field=versionVerify Fix Applied:
Verify plugin version is 3.1.8 or higher and check that nonce validation exists in class-alg-wc-wish-list-ajax.php lines 337 and 789📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=save_to_multiple_wishlist without proper referrer
- Unusual admin activity patterns
Network Indicators:
- Cross-origin requests to wishlist endpoints
- Suspicious iframe or form submissions
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "save_to_multiple_wishlist" AND NOT referrer="*wp-admin*"🔗 References
- https://plugins.trac.wordpress.org/browser/wish-list-for-woocommerce/tags/3.1.7/includes/free/class-alg-wc-wish-list-ajax.php#L337
- https://plugins.trac.wordpress.org/browser/wish-list-for-woocommerce/tags/3.1.7/includes/free/class-alg-wc-wish-list-ajax.php#L789
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c11456bb-dde3-4ab8-b00b-a6cdcc68a760?source=cve
