What the vulnerability does
01Description
The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_delete_card' function. This makes it possible for unauthenticated attackers to delete the default card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
02Summary
Ecommerce Fabrick versions up to 20221130 contain a cross-site request forgery (CSRF) vulnerability. An attacker can craft a malicious link or page that, when visited by a logged-in site administrator, performs unwanted actions on the site without their knowledge. The vulnerability requires user interaction and does not directly expose sensitive data, but can disrupt site availability or functionality.
What an attacker can do
03Attacker Capabilities
Trick a logged-in admin into performing unwanted actions on the site via a malicious link or page.
Potential impact on your site
04Site Impact
Site admins could unknowingly trigger actions that disrupt site availability or functionality.
Conditions required to exploit
05Prerequisites
Admin must visit attacker's link or page while logged into the site.
Key dates
06Disclosure timeline
February 28, 2024
CVE published
April 8, 2026
Record updated