CVE-2021-24993

Name of the Vulnerable Software and Affected Versions The Ultimate Product Catalog WordPress plugin versions prior to 5.0.26

Description The issue is related to the lack of authorization and CSRF checks in some AJAX actions. This could allow any authenticated users, such as subscribers, to call these actions and add arbitrary products or change the plugin's settings.

Recommendations For versions prior to 5.0.26, update to version 5.0.26 or later to resolve the issue. As a temporary workaround, consider restricting access to the AJAX actions that are missing authorization and CSRF checks until a patch is available.