CVE-2024-6136 – The wp-cart-for-digital-products WordPress plug... (How to Fix)

Q: What is the severity of CVE-2024-6136?

CVE-2024-6136 has a CVSS score of 5.4 (MEDIUM). The wp-cart-for-digital-products WordPress plugin before version 8.5.6 lacks Cross-Site Request Forgery (CSRF) protection on certain endpoints, allowing attackers to trick authenticated users into performing unintended actions. This affects WordPress sites using vulnerable versions of this plugin, potentially impacting administrators and users with elevated privileges.

📋 TL;DR

The wp-cart-for-digital-products WordPress plugin before version 8.5.6 lacks Cross-Site Request Forgery (CSRF) protection on certain endpoints, allowing attackers to trick authenticated users into performing unintended actions. This affects WordPress sites using vulnerable versions of this plugin, potentially impacting administrators and users with elevated privileges.

💻 Affected Systems

Products:

wp-cart-for-digital-products WordPress plugin

Versions: All versions before 8.5.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the vulnerable plugin enabled. Requires users to be authenticated to the WordPress site.

📦 What is this software?

Wp Estore by Tipsandtricks Hq

View all CVEs affecting Wp Estore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate administrative actions like modifying product prices, changing user roles, or deleting content without the administrator's knowledge or consent.

🟠

Likely Case

Attackers could trick logged-in users into performing unwanted actions like purchasing products, modifying their own cart, or changing account settings.

🟢

If Mitigated

With proper CSRF protections implemented, all requests would require valid tokens, preventing unauthorized actions even if users are tricked into clicking malicious links.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

CSRF attacks are well-understood and easy to implement. Exploitation requires the victim to be logged into the WordPress site and visit a malicious page.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.5.6

Vendor Advisory: https://wpscan.com/vulnerability/7d85cfe4-4878-4530-ba78-7cfe33f3a8d5/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'wp-cart-for-digital-products'. 4. Click 'Update Now' if available. 5. Alternatively, download version 8.5.6+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the wp-cart-for-digital-products plugin until patched

wp plugin deactivate wp-cart-for-digital-products

Implement CSRF protection middleware

all

Add custom CSRF token validation for all plugin endpoints

🧯 If You Can't Patch

Implement strict access controls and limit administrative privileges to essential personnel only
Deploy web application firewall (WAF) rules to detect and block CSRF attack patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for wp-cart-for-digital-products version

Check Version:

wp plugin list --name=wp-cart-for-digital-products --field=version

Verify Fix Applied:

Verify plugin version is 8.5.6 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to wp-cart-for-digital-products endpoints without referrer headers
Multiple failed CSRF token validations

Network Indicators:

Requests to plugin endpoints originating from unexpected domains
POST requests without corresponding GET requests from same session

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "wp-cart-for-digital-products") AND http_method="POST" AND NOT referrer CONTAINS domain

📊 Metadata

CVE ID: CVE-2024-6136

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-352

Published: August 12, 2024

Last Updated: May 8, 2025

🔗 References

https://wpscan.com/vulnerability/7d85cfe4-4878-4530-ba78-7cfe33f3a8d5/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6136, you might also want to check these: