CVE-2021-42367

Name of the Vulnerable Software and Affected Versions Variation Swatches for WooCommerce WordPress plugin versions up to and including 2.1.1

Description The issue allows attackers to inject arbitrary web scripts via several parameters in the ~/includes/class-menu-page.php file, due to missing authorization checks on the tawcvs save settings function. This enables low-level authenticated users, such as subscribers, to exploit the vulnerability.

Recommendations For versions up to and including 2.1.1, update to a version higher than 2.1.1 to resolve the issue. As a temporary workaround, consider restricting access to the tawcvs save settings function to prevent low-level authenticated users from exploiting the vulnerability.