Description
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Friendly Functions for Welcart WordPress plugin. The plugin's settings update functionality lacks proper nonce verification, allowing an attacker to trick an authenticated administrator into unknowingly modifying plugin settings through a crafted request.
Welcart is a popular Japanese e-commerce plugin for WordPress, and the Friendly Functions extension adds supplementary functionality. This CSRF vulnerability could be leveraged to alter e-commerce settings affecting payment processing, shipping, and store configuration.
Technical Details
The vulnerability exists in the plugin's settings handler where administrative actions are processed without validating a WordPress nonce token. This means the server cannot distinguish between a legitimate settings update initiated by the admin and a forged request from an attacker-controlled page.
Attack Vector
The attack requires social engineering — the attacker must convince an authenticated WordPress administrator to visit a malicious page while logged into the target site. The malicious page contains a hidden form that automatically submits a settings update request to the vulnerable endpoint.
Vulnerability Characteristics
- Authentication: Not required for the attacker (exploits the admin's authenticated session)
- Attack Complexity: Low — standard CSRF payload construction
- Privileges Required: None (but requires an admin to be logged in)
- User Interaction: Required — admin must visit attacker-controlled page
Impact Assessment
Successful exploitation of this vulnerability could lead to:
- Settings Manipulation: Unauthorized modification of Welcart e-commerce configuration
- Business Logic Abuse: Potential alteration of payment, shipping, or pricing settings
- Chained Attacks: Modified settings could enable further exploitation vectors
- Data Integrity: E-commerce configuration changes could affect transaction processing
The severity is rated Medium (CVSS 4.3) because exploitation requires user interaction (the admin must visit a malicious page) and the direct impact is limited to settings modification.
Proof of Concept
The proof of concept includes:
- A crafted HTML page containing an auto-submitting form targeting the vulnerable settings endpoint
- A Nuclei template for automated detection
- ModSecurity and Nginx WAF rules for mitigation
Full PoC, detection templates, and WAF rules are available in the GitHub repository.
Remediation Steps
For Site Administrators
- Update immediately to Friendly Functions for Welcart version 1.2.6 or later
- Review Welcart settings for any unauthorized changes
- Implement a Web Application Firewall with CSRF protection rules
- Educate administrators about phishing and social engineering risks
For Plugin Developers
- Implement WordPress nonce verification on all state-changing actions
- Use
wp_nonce_field()andwp_verify_nonce()for form submissions - Apply
check_admin_referer()for admin action handlers - Follow WordPress Plugin Security best practices for CSRF prevention
Disclosure Timeline
- 2025-12-05: Vulnerability discovered during WordPress plugin security audit
- 2025-12-08: Reported through Wordfence Bug Bounty Program
- 2025-12-20: Vendor notified and vulnerability confirmed
- 2026-01-15: Patch released in version 1.2.6
- 2026-01-23: CVE-2026-1208 assigned and publicly disclosed
References
Discovered by: Kai Aizen (SnailSploit)