{"id":2699,"date":"2024-01-24T14:16:38","date_gmt":"2024-01-24T14:16:38","guid":{"rendered":"http:\/\/127.0.0.1\/category-discount-woocommerce-4-11-cross-site-request-forgery-a-traves-de-wpcd_save_discount\/"},"modified":"2024-01-24T14:16:38","modified_gmt":"2024-01-24T14:16:38","slug":"category-discount-woocommerce-4-11-cross-site-request-forgery-a-traves-de-wpcd_save_discount","status":"publish","type":"post","link":"http:\/\/127.0.0.1\/category-discount-woocommerce-4-11-cross-site-request-forgery-a-traves-de-wpcd_save_discount\/","title":{"rendered":"Category Discount Woocommerce &lt;= 4.11 &#8211; Cross-Site Request Forgery a trav\u00e9s de wpcd_save_discount()"},"content":{"rendered":"<div>En este art\u00edculo se reporta una vulnerabilidad de Cross-Site Request Forgery (CSRF) en el plugin Category Discount Woocommerce para WordPress. La versi\u00f3n afectada es la 4.12 y versiones anteriores. Este problema se debe a la falta de validaci\u00f3n de nonce o a una validaci\u00f3n incorrecta en la funci\u00f3n wpcd_save_discount(). Esta vulnerabilidad permite a atacantes no autenticados modificar los descuentos de las categor\u00edas de productos a trav\u00e9s de una solicitud falsificada, siempre y cuando puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n, como hacer clic en un enlace.<\/div>\n<p><\/p>\n<div>Cross-Site Request Forgery (CSRF), tambi\u00e9n conocido como falsificaci\u00f3n de petici\u00f3n en sitios cruzados, es un tipo de ataque en el que un atacante puede enga\u00f1ar a un usuario autenticado para que realice una acci\u00f3n no deseada en su nombre sin su conocimiento. En este caso espec\u00edfico, el plugin Category Discount Woocommerce para WordPress es vulnerable a un ataque de CSRF debido a fallos en la validaci\u00f3n de nonce en la funci\u00f3n wpcd_save_discount().<\/p>\n<p>La falta de validaci\u00f3n de nonce permite que un atacante no autenticado pueda enviar una solicitud falsificada que modifique los descuentos de las categor\u00edas de productos en el sitio web. Para llevar a cabo este ataque, el atacante debe enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n que desencadene la funci\u00f3n wpcd_save_discount(). Esto puede lograrse mediante el uso de t\u00e9cnicas de ingenier\u00eda social o mediante la inclusi\u00f3n de un enlace malicioso en un correo electr\u00f3nico o sitio web.<\/p>\n<p>Para subsanar este problema, se recomienda actualizar el plugin Category Discount Woocommerce a la \u00faltima versi\u00f3n disponible, que en este momento es la 4.12. Esta versi\u00f3n incluye las correcciones necesarias para mitigar la vulnerabilidad de CSRF. Adem\u00e1s, se sugiere a los administradores del sitio estar atentos a posibles ataques de ingenier\u00eda social y no hacer clic en enlaces sospechosos o no confiables sin validar su origen y autenticidad.<\/p><\/div>\n<div>En conclusi\u00f3n, el plugin Category Discount Woocommerce para WordPress es vulnerable a ataques de Cross-Site Request Forgery (CSRF) debido a la falta de validaci\u00f3n de nonce en la funci\u00f3n wpcd_save_discount(). Los administradores del sitio deben actualizar el plugin a la \u00faltima versi\u00f3n disponible y ser conscientes de posibles ataques de ingenier\u00eda social. Tomar precauciones y seguir las buenas pr\u00e1cticas de seguridad ayudar\u00e1 a protegerse contra este tipo de vulnerabilidades y mantener los descuentos de las categor\u00edas de productos seguros en el sitio web.<\/div>\n","protected":false},"excerpt":{"rendered":"<p>En este art\u00edculo se reporta una vulnerabilidad de Cross-Site Request Forgery (CSRF) en el plugin Category Discount Woocommerce para WordPress. La versi\u00f3n afectada es la 4.12 y versiones anteriores. Este problema se debe a la falta de validaci\u00f3n de nonce o a una validaci\u00f3n incorrecta en la funci\u00f3n wpcd_save_discount(). Esta vulnerabilidad permite a atacantes no [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[416],"class_list":["post-2699","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-cve-2024-0617"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Category Discount Woocommerce &lt;= 4.11 - Cross-Site Request Forgery a trav\u00e9s de wpcd_save_discount() - SeguridadWordPress.es<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/127.0.0.1\/category-discount-woocommerce-4-11-cross-site-request-forgery-a-traves-de-wpcd_save_discount\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Category Discount Woocommerce &lt;= 4.11 - Cross-Site Request Forgery a trav\u00e9s de wpcd_save_discount() - SeguridadWordPress.es\" \/>\n<meta property=\"og:description\" content=\"En este art\u00edculo se reporta una vulnerabilidad de Cross-Site Request Forgery (CSRF) en el plugin Category Discount Woocommerce para WordPress. La versi\u00f3n afectada es la 4.12 y versiones anteriores. Este problema se debe a la falta de validaci\u00f3n de nonce o a una validaci\u00f3n incorrecta en la funci\u00f3n wpcd_save_discount(). Esta vulnerabilidad permite a atacantes no [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"http:\/\/127.0.0.1\/category-discount-woocommerce-4-11-cross-site-request-forgery-a-traves-de-wpcd_save_discount\/\" \/>\n<meta property=\"og:site_name\" content=\"SeguridadWordPress.es\" \/>\n<meta property=\"article:published_time\" content=\"2024-01-24T14:16:38+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"http:\/\/127.0.0.1\/category-discount-woocommerce-4-11-cross-site-request-forgery-a-traves-de-wpcd_save_discount\/\",\"url\":\"http:\/\/127.0.0.1\/category-discount-woocommerce-4-11-cross-site-request-forgery-a-traves-de-wpcd_save_discount\/\",\"name\":\"Category Discount Woocommerce &lt;= 4.11 - Cross-Site Request Forgery a trav\u00e9s de wpcd_save_discount() - SeguridadWordPress.es\",\"isPartOf\":{\"@id\":\"http:\/\/127.0.0.1\/#website\"},\"datePublished\":\"2024-01-24T14:16:38+00:00\",\"dateModified\":\"2024-01-24T14:16:38+00:00\",\"author\":{\"@id\":\"\"},\"breadcrumb\":{\"@id\":\"http:\/\/127.0.0.1\/category-discount-woocommerce-4-11-cross-site-request-forgery-a-traves-de-wpcd_save_discount\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/127.0.0.1\/category-discount-woocommerce-4-11-cross-site-request-forgery-a-traves-de-wpcd_save_discount\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/127.0.0.1\/category-discount-woocommerce-4-11-cross-site-request-forgery-a-traves-de-wpcd_save_discount\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\/\/127.0.0.1\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Category Discount Woocommerce &lt;= 4.11 &#8211; Cross-Site Request Forgery a trav\u00e9s de wpcd_save_discount()\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/127.0.0.1\/#website\",\"url\":\"http:\/\/127.0.0.1\/\",\"name\":\"SeguridadWordPress.es\",\"description\":\"Recopilaci\u00f3n de vulnerabilidades WordPress.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/127.0.0.1\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Category Discount Woocommerce &lt;= 4.11 - Cross-Site Request Forgery a trav\u00e9s de wpcd_save_discount() - SeguridadWordPress.es","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/127.0.0.1\/category-discount-woocommerce-4-11-cross-site-request-forgery-a-traves-de-wpcd_save_discount\/","og_locale":"en_US","og_type":"article","og_title":"Category Discount Woocommerce &lt;= 4.11 - Cross-Site Request Forgery a trav\u00e9s de wpcd_save_discount() - SeguridadWordPress.es","og_description":"En este art\u00edculo se reporta una vulnerabilidad de Cross-Site Request Forgery (CSRF) en el plugin Category Discount Woocommerce para WordPress. La versi\u00f3n afectada es la 4.12 y versiones anteriores. Este problema se debe a la falta de validaci\u00f3n de nonce o a una validaci\u00f3n incorrecta en la funci\u00f3n wpcd_save_discount(). Esta vulnerabilidad permite a atacantes no [&hellip;]","og_url":"http:\/\/127.0.0.1\/category-discount-woocommerce-4-11-cross-site-request-forgery-a-traves-de-wpcd_save_discount\/","og_site_name":"SeguridadWordPress.es","article_published_time":"2024-01-24T14:16:38+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"http:\/\/127.0.0.1\/category-discount-woocommerce-4-11-cross-site-request-forgery-a-traves-de-wpcd_save_discount\/","url":"http:\/\/127.0.0.1\/category-discount-woocommerce-4-11-cross-site-request-forgery-a-traves-de-wpcd_save_discount\/","name":"Category Discount Woocommerce &lt;= 4.11 - Cross-Site Request Forgery a trav\u00e9s de wpcd_save_discount() - SeguridadWordPress.es","isPartOf":{"@id":"http:\/\/127.0.0.1\/#website"},"datePublished":"2024-01-24T14:16:38+00:00","dateModified":"2024-01-24T14:16:38+00:00","author":{"@id":""},"breadcrumb":{"@id":"http:\/\/127.0.0.1\/category-discount-woocommerce-4-11-cross-site-request-forgery-a-traves-de-wpcd_save_discount\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["http:\/\/127.0.0.1\/category-discount-woocommerce-4-11-cross-site-request-forgery-a-traves-de-wpcd_save_discount\/"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/127.0.0.1\/category-discount-woocommerce-4-11-cross-site-request-forgery-a-traves-de-wpcd_save_discount\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/127.0.0.1\/"},{"@type":"ListItem","position":2,"name":"Category Discount Woocommerce &lt;= 4.11 &#8211; Cross-Site Request Forgery a trav\u00e9s de wpcd_save_discount()"}]},{"@type":"WebSite","@id":"http:\/\/127.0.0.1\/#website","url":"http:\/\/127.0.0.1\/","name":"SeguridadWordPress.es","description":"Recopilaci\u00f3n de vulnerabilidades WordPress.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/127.0.0.1\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"amp_enabled":true,"_links":{"self":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/2699"}],"collection":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/comments?post=2699"}],"version-history":[{"count":0,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/2699\/revisions"}],"wp:attachment":[{"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/media?parent=2699"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/categories?post=2699"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/127.0.0.1\/wp-json\/wp\/v2\/tags?post=2699"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}