Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Network CSRF with low complexity and no attacker auth (PR:N) but mandatory victim interaction (UI:R); forged state changes give I:H, with no direct data read (C:N) or availability loss.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in hamsalam ووسلام – همگام سازی ووکامرس و باسلام sync-basalam allows Cross Site Request Forgery.This issue affects ووسلام – همگام سازی ووکامرس و باسلام: from n/a through <= 1.9.1.
AnalysisAI
Cross-Site Request Forgery in the Woosalam (ووسلام - همگام سازی ووکامرس و باسلام) WooCommerce-to-Basalam sync plugin for WordPress lets a remote attacker forge state-changing requests that a logged-in victim's browser executes, affecting all versions from an unspecified initial release through 1.9.1. Because the plugin fails to validate request authenticity (CWE-352), an attacker who lures an authenticated user to a malicious page can trigger high-integrity changes with no attacker authentication required (CVSS 7.1). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated WordPress user (typically an administrator or shop manager with access to the Woosalam plugin's actions) to be actively logged in and then tricked into loading attacker-controlled content in the same browser - this UI:R (user interaction required) step is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N, score 7.1 High) shows a network-reachable, low-complexity attack needing no attacker privileges but requiring victim user interaction (UI:R) - consistent with CSRF, where the attacker cannot act directly but must trick an authenticated user into loading a crafted page. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious web page or email containing a hidden auto-submitting form or image that targets a vulnerable Woosalam action, then lures a logged-in WordPress administrator to open it. The victim's browser, carrying valid session cookies, submits the forged request and the plugin processes it as legitimate because no anti-CSRF token is validated, allowing the attacker to alter plugin/store settings. … |
| Remediation | No vendor-released patched version was identified at time of analysis - the advisory lists all versions through 1.9.1 as affected without naming a fixed release, so confirm availability of a version newer than 1.9.1 directly with the plugin author or via the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/sync-basalam/vulnerability/wordpress-oosl-m-hm-m-s-z-oo-mrs-o-b-sl-m-plugin-1-9-1-cross-site-request-forgery-csrf-vulnerability) before relying on an upgrade. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations using Woosalam versions through 1.9.1 and identify active admin accounts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43436