Description
WordPress Plugin WooCommerce is prone to a cross-site request forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application; other attacks are also possible. WordPress Plugin WooCommerce version 3.6.4 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 3.6.5 or latest
References
https://mp.weixin.qq.com/s/j79MNsy-tnJQGfFg7ROxTw
https://paper.seebug.org/1056/
https://blog.ripstech.com/2019/woocommerce-csrf-to-stored-xss/
https://woocommerce.wordpress.com/2019/07/02/woocommerce-3-6-5-security-release/
Related Vulnerabilities
WordPress Plugin Gwolle Guestbook Cross-Site Scripting (2.5.3)
WordPress Plugin wp heyloyalty Remote Code Execution (1.1.4)
Jboss EAP Permissions, Privileges, and Access Controls Vulnerability (CVE-2010-1429)
PHP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2010-2531)
WordPress Plugin Events Manager Cross-Site Scripting (5.8.1.1)