Skip to main content

Woosalam Plugin EUVDEUVD-2026-43436

| CVE-2026-61956 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
vuln.today AI
6.5 MEDIUM

Network CSRF with low complexity and no attacker auth (PR:N) but mandatory victim interaction (UI:R); forged state changes give I:H, with no direct data read (C:N) or availability loss.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:21 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in hamsalam ووسلام &#8211; همگام سازی ووکامرس و باسلام sync-basalam allows Cross Site Request Forgery.This issue affects ووسلام &#8211; همگام سازی ووکامرس و باسلام: from n/a through <= 1.9.1.

AnalysisAI

Cross-Site Request Forgery in the Woosalam (ووسلام - همگام سازی ووکامرس و باسلام) WooCommerce-to-Basalam sync plugin for WordPress lets a remote attacker forge state-changing requests that a logged-in victim's browser executes, affecting all versions from an unspecified initial release through 1.9.1. Because the plugin fails to validate request authenticity (CWE-352), an attacker who lures an authenticated user to a malicious page can trigger high-integrity changes with no attacker authentication required (CVSS 7.1). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host malicious CSRF page
Delivery
Lure logged-in WordPress admin to visit
Exploit
Browser auto-submits forged request with session cookies
Execution
Plugin processes request without nonce check
Impact
Attacker-controlled state change applied

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress user (typically an administrator or shop manager with access to the Woosalam plugin's actions) to be actively logged in and then tricked into loading attacker-controlled content in the same browser - this UI:R (user interaction required) step is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N, score 7.1 High) shows a network-reachable, low-complexity attack needing no attacker privileges but requiring victim user interaction (UI:R) - consistent with CSRF, where the attacker cannot act directly but must trick an authenticated user into loading a crafted page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious web page or email containing a hidden auto-submitting form or image that targets a vulnerable Woosalam action, then lures a logged-in WordPress administrator to open it. The victim's browser, carrying valid session cookies, submits the forged request and the plugin processes it as legitimate because no anti-CSRF token is validated, allowing the attacker to alter plugin/store settings. …
Remediation No vendor-released patched version was identified at time of analysis - the advisory lists all versions through 1.9.1 as affected without naming a fixed release, so confirm availability of a version newer than 1.9.1 directly with the plugin author or via the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/sync-basalam/vulnerability/wordpress-oosl-m-hm-m-s-z-oo-mrs-o-b-sl-m-plugin-1-9-1-cross-site-request-forgery-csrf-vulnerability) before relying on an upgrade. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using Woosalam versions through 1.9.1 and identify active admin accounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43436 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy