Description
Cross-Site Request Forgery (CSRF) vulnerability in WP Swings Wallet System for WooCommerce wallet-system-for-woocommerce allows Cross Site Request Forgery.This issue affects Wallet System for WooCommerce: from n/a through <= 2.6.7.
Published: 2025-07-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordPress Wallet System for WooCommerce plugin contains a Cross‑Site Request Forgery vulnerability that allows a malicious actor to cause an authenticated user to execute plugin actions without the user’s consent, because the plugin does not verify the origin of requests. This flaw is present in all releases up to and including version 2.6.7, as stated by the vendor (inferred).

Affected Systems

Any WordPress site that has installed the WP Swings Wallet System for WooCommerce plugin version 2.6.7 or earlier is affected. The vulnerability does not depend on other factors such as site configuration beyond the plugin version.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. EPSS is listed as less than 1%, implying a low short‑term likelihood of exploitation. The vulnerability is not present in the CISA KEV catalog. The likely attack vector is a CSRF scenario in which an attacker lures a logged‑in user to a malicious site that submits a crafted request to the vulnerable endpoint. Because the flaw requires a victim to be authenticated (inferred) and the exploitation probability is low, the overall risk remains moderate but should be addressed before a patch becomes available.

Generated by OpenCVE AI on May 1, 2026 at 06:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wallet System for WooCommerce plugin to a release newer than 2.6.7
  • If an upgrade cannot be applied immediately, restrict direct access to wallet‑related endpoints to authenticated sessions only and consider blocking suspicious traffic with a web‑application firewall
  • Monitor wallet logs for unusual activity and disable the plugin temporarily until a patched version is deployed

Generated by OpenCVE AI on May 1, 2026 at 06:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21662 Cross-Site Request Forgery (CSRF) vulnerability in WP Swings Wallet System for WooCommerce allows Cross Site Request Forgery. This issue affects Wallet System for WooCommerce: from n/a through 2.6.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in WP Swings Wallet System for WooCommerce allows Cross Site Request Forgery. This issue affects Wallet System for WooCommerce: from n/a through 2.6.7. Cross-Site Request Forgery (CSRF) vulnerability in WP Swings Wallet System for WooCommerce wallet-system-for-woocommerce allows Cross Site Request Forgery.This issue affects Wallet System for WooCommerce: from n/a through <= 2.6.7.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Wed, 16 Jul 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00029}

Wed, 16 Jul 2025 10:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in WP Swings Wallet System for WooCommerce allows Cross Site Request Forgery. This issue affects Wallet System for WooCommerce: from n/a through 2.6.7.
Title WordPress Wallet System for WooCommerce plugin <= 2.6.7 - Cross Site Request Forgery (CSRF) Vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:29.789Z

Reserved: 2025-07-16T08:51:58.890Z

Link: CVE-2025-54041

cve-icon Vulnrichment

Updated: 2025-07-16T20:03:31.980Z

cve-icon NVD

Status : Deferred

Published: 2025-07-16T11:15:31.640

Modified: 2026-04-23T15:32:45.353

Link: CVE-2025-54041

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:00:06Z

Weaknesses