CVE-2022-47150 - Vulnerability Details

- WordPress WooCommerce Conversion Tracking plugin <= 2.0.10 - Cross-Site Request Forgery (CSRF) vulnerability

Description

Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery.

This issue affects WooCommerce Conversion Tracking: from n/a through 2.0.10.

Published: 2026-06-11

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a classic CSRF flaw that allows an attacker to forge a request that the victim’s browser will unknowingly execute while authenticated. This can lead to unintended changes to the plugin’s configuration or data, potentially affecting store tracking and reporting. The weakness is identified as CWE‑352, which highlights insufficient request validation.

Affected Systems

The issue affects the weDevs WooCommerce Conversion Tracking plugin installed in WordPress. All versions up to and including 2.0.10 are vulnerable. Version information starts from the earliest available release up through 2.0.10.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk level. EPSS data is not available, so the exploitation probability cannot be precisely quantified but is generally considered low to moderate for CSRF cases. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to persuade an authenticated user to submit a crafted request, making it a user‑agent‑based threat vector.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

weDevs

WooCommerce Conversion Tracking

unaffected

Version	Status	Constraints
`n/a`	affected	≤ 2.0.10

No data.

Vendor Product Confidence Versions

Wedevs

Woocommerce Conversion Tracking

100%

Version	Status	Scheme	Platform
`[0,2.0.10]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update the WordPress WooCommerce Conversion Tracking plugin to the latest available version (at least 2.0.11).

OpenCVE Recommended Actions

Update the WooCommerce Conversion Tracking plugin to version 2.0.11 or later.
If an upgrade is not immediately possible, implement strict CSRF tokens on all plugin‑related admin forms or enforce referer header checks.
If the plugin is not essential, consider disabling or uninstalling it until a patch is applied.

Generated by OpenCVE AI on June 11, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/wordpress/plugin/woocommerce-conversion-tracking/vulnerability/wordpress-woocommerce-conversion-tracking-plugin-2-0-10-csrf-broken-access-control?_s_id=cve

History

Thu, 11 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 11 Jun 2026 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wedevs Wedevs woocommerce Conversion Tracking Wordpress Wordpress wordpress
Vendors & Products		Wedevs Wedevs woocommerce Conversion Tracking Wordpress Wordpress wordpress

Thu, 11 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery. This issue affects WooCommerce Conversion Tracking: from n/a through 2.0.10.
Title		WordPress WooCommerce Conversion Tracking plugin <= 2.0.10 - Cross-Site Request Forgery (CSRF) vulnerability
Weaknesses		CWE-352
References		https://patchstack.com/database/wordpress/plugin/woocommerce-conversion-tracking/vulnerability/wordpress-woocommerce-conversion-tracking-plugin-2-0-10-csrf-broken-access-control?_s_id=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}`

Subscriptions

Wedevs Woocommerce Conversion Tracking

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-06-11T10:43:01.912Z

Updated: 2026-06-11T12:25:01.706Z

Reserved: 2022-12-12T11:41:44.114Z

Link: CVE-2022-47150

Vulnrichment

Updated: 2026-06-11T12:24:57.789Z

NVD

Status : Deferred

Published: 2026-06-11T12:16:29.607

Modified: 2026-06-11T14:42:47.007

Link: CVE-2022-47150

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-11T12:30:14Z

Weaknesses

CWE-352
Cross-Site Request Forgery (CSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object