CVE-2021-34645 is a high-severity vulnerability affecting the WP EasyCart Shopping Cart & eCommerce Store WordPress plugin, specifically versions up to and including 5.1.0. The vulnerability is classified as a Cross-Site Request Forgery (CSRF) issue (CWE-352) found in the save_currency_settings function within the ~/admin/inc/wp_easycart_admin_initial_setup.php file. CSRF vulnerabilities allow an attacker to trick an authenticated user into submitting a forged HTTP request, which can lead to unauthorized actions being executed on the user's behalf without their consent. In this case, the vulnerability enables attackers to inject arbitrary web scripts by exploiting the lack of proper CSRF protections when saving currency settings. The CVSS 3.1 base score of 8.8 indicates a high impact, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H highlighting that the attack can be performed remotely over the network with low attack complexity, requires no privileges but does require user interaction (UI:R), and results in high confidentiality, integrity, and availability impacts. Although no known exploits are reported in the wild, the vulnerability poses a significant risk due to the potential for attackers to manipulate eCommerce settings, inject malicious scripts, and compromise the integrity and availability of online stores using this plugin. The vulnerability was publicly disclosed in August 2021, and no official patch links are provided in the data, indicating that users must verify if updates or mitigations have been released since then.

For European organizations operating eCommerce websites using the WP EasyCart plugin, this vulnerability could lead to severe consequences. Attackers exploiting this CSRF flaw could alter currency settings, potentially disrupting pricing, payment processing, and customer transactions. The injection of arbitrary scripts could facilitate further attacks such as session hijacking, data theft, or distribution of malware to customers. This undermines customer trust, damages brand reputation, and may lead to financial losses due to fraudulent transactions or downtime. Additionally, compromised eCommerce platforms may violate GDPR requirements concerning data protection and security, exposing organizations to regulatory penalties. The high confidentiality, integrity, and availability impacts mean that sensitive customer data and business operations are at risk, making this vulnerability particularly critical for European businesses reliant on WP EasyCart for their online sales.

To mitigate this vulnerability, European organizations should immediately verify the version of WP EasyCart in use and upgrade to the latest version where the vulnerability is patched. If an official patch is not available, organizations should implement manual CSRF protections such as adding nonce verification tokens to the save_currency_settings function and validating these tokens server-side to ensure requests are legitimate. Additionally, restricting administrative access to trusted IP addresses and enforcing multi-factor authentication (MFA) for admin users can reduce the risk of exploitation. Web Application Firewalls (WAFs) should be configured to detect and block suspicious CSRF attack patterns targeting the plugin’s endpoints. Regular security audits and monitoring for unusual administrative actions or changes in currency settings can help detect exploitation attempts early. Finally, educating administrators about the risks of CSRF and the importance of not clicking on suspicious links while logged into the admin panel can reduce user interaction risks.