CVE-2022-2432

Ecwid Ecommerce Shopping Cart <= 6.10.23 - Cross-Site Request Forgery to Settings/Options Update

The Ecwid Ecommerce Shopping Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.10.23. This is due to missing or incorrect nonce validation on the ecwid_update_plugin_params function. This makes it possible for unauthenticated attackers to update plugin options granted they can trick a site administrator into performing an action such as clicking on a link.

We have discovered 3 live websites that are affected by CVE-2022-2432.

Affected Software


Product	Ecwid Ecommerce Shopping Cart
Category	Wordpress Plugins
Vulnerable Versions	from 6.10.23 through 6.10.23
Total Vulnerable Versions	124
Vulnerable Domains	3 live websites (0.11% of Ecwid Ecommerce Shopping Cart install base)

Common Weakness Enumeration

CWE-352 Cross-Site Request Forgery (CSRF)

Distribution by Website Rank

The diagram provides a graphic representation of the correlation between the occurrence of CVE-2022-2432 and the relative popularity of websites

Available Reports

Website List

Details

Published - Sep 7, 2022
Updated - Sep 7, 2022

Credits

Marco Wotschka, Wordfence

CWE

CWE-352

CVE References

CWE References

cwe.mitre.org

Countries

United States	2 websites

Malaysia	1 websites

TLDs

.com	2 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Geographical Distribution

The distribution of websites across the globe that are exposed to CVE-2022-2432 through included software libraries and plugins.

References

Websites affected by CVE-2022-2432

Top websites that are affected by CVE-2022-2432. Please click on the "Contact us" button above to get more information.

Domain	Country	Rank
*************.com	United States	,,*
****.*.my	Malaysia	,,**
***********************.com	United States	,,**

See full domain list