CVE-2023-6292: 
WordPress vulnerability analysis and mitigation

CVE-2023-6292 affects the Ecwid Ecommerce Shopping Cart WordPress plugin versions below 6.12.5. The vulnerability was discovered by Krzysztof Zając from CERT PL and was publicly disclosed on November 21, 2023 (WPScan).

The vulnerability is classified as a Cross-Site Request Forgery (CSRF) with a CVSS score of 4.3 (medium). The issue stems from the plugin's lack of CSRF checks when updating its settings, which affects multiple AJAX actions including ecwid_storefront_set_status, ecwid_storefront_set_store_on_front, ecwid_storefront_set_display_cart_icon, ecwid_storefront_set_page_slug, ecwid_storefront_set_mainpage, ecwid_storefront_create_page, and ecwid-save-spw-params (WPScan).

The vulnerability could allow attackers to make unauthorized changes to the plugin's settings through a CSRF attack when an administrator is logged in. This includes the ability to modify store settings and even disable the store functionality (WPScan).

The vulnerability has been fixed in version 6.12.5 of the Ecwid Ecommerce Shopping Cart plugin. Users are advised to update to this version or later to protect against potential CSRF attacks (WPScan).