CVE-2020-36736

Name of the Vulnerable Software and Affected Versions WooCommerce Checkout & Funnel Builder by CartFlows plugin for WordPress versions up to, and including, 1.5.15

Description The issue is due to missing or incorrect nonce validation on the export json, import json, and status logs file functions. This allows unauthenticated attackers to import/export settings and trigger logs showing via a forged request, provided they can trick a site administrator into performing an action such as clicking on a link.

Recommendations For versions up to, and including, 1.5.15, update to a version higher than 1.5.15 to resolve the issue. As a temporary workaround, consider restricting access to the export json, import json, and status logs file functions until a patch is available.