WordPress · Discy · CVE-2022-1421
**Name of the Vulnerable Software and Affected Versions**
Discy WordPress theme versions prior to 5.2
**Description**
The issue allows an attacker to make a logged-in admin change arbitrary settings, including payment methods, via a CSRF attack due to the lack of CSRF checks in some AJAX actions.
**Recommendations**
For versions prior to 5.2, update to version 5.2 or later to resolve the issue.
As a temporary workaround, consider restricting access to the AJAX actions that lack CSRF checks until a patch is available.