CVE-2024-11842: 
WordPress vulnerability analysis and mitigation

The DN Shipping by Weight for WooCommerce WordPress plugin before version 1.2 contains a Cross-Site Request Forgery (CSRF) vulnerability. The vulnerability was discovered and reported by security researcher Bob Matyas on December 6, 2024. This security issue affects the plugin's settings update functionality (WPScan, NVD).

The vulnerability stems from the absence of CSRF protection mechanisms when updating the plugin's settings. The issue has been assigned a CVSS v3.1 score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction (WPScan).

When exploited, this vulnerability allows attackers to modify the plugin's settings through a CSRF attack, provided they can trick an authenticated administrator into clicking on a malicious link or visiting a compromised webpage. The attack can result in the overwriting of existing shipping tables and modification of shipping-related configurations (WPScan).

The vulnerability has been fixed in version 1.2 of the DN Shipping by Weight for WooCommerce plugin. Users are advised to update to this version or later to protect against potential CSRF attacks (WPScan).