CVE-2024-0432 MEDIUM

CVE-2024-0432: Gestpay for WooCommerce <= 20221130 - Cross-Site Request Forgery (CSRF) via ajax_delete_card

Vendor Easynolo
Product Ecommerce Fabrick
Weakness CWE-352 · CSRF
Published February 28, 2024
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_delete_card' function. This makes it possible for unauthenticated attackers to delete the default card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Explanation of Vulnerability in Simple Terms

02Summary

Ecommerce Fabrick versions up to 20221130 contain a cross-site request forgery (CSRF) vulnerability. An attacker can craft a malicious link or page that, when visited by a logged-in site administrator, performs unwanted actions on the site without their knowledge. The vulnerability requires user interaction and does not directly expose sensitive data, but can disrupt site availability or functionality.

What an attacker can do

03Attacker Capabilities

Trick a logged-in admin into performing unwanted actions on the site via a malicious link or page.

Potential impact on your site

04Site Impact

Site admins could unknowingly trigger actions that disrupt site availability or functionality.

Conditions required to exploit

05Prerequisites

Admin must visit attacker's link or page while logged into the site.

Key dates

06Disclosure timeline

February 28, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE