PT-2022-9552 · WordPress · The Ultimate Product Catalog

·

CVE-2021-24993

·

Published

2022-02-07

·

Updated

2022-10-25

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions The Ultimate Product Catalog WordPress plugin versions prior to 5.0.26
Description The issue is related to the lack of authorization and CSRF checks in some AJAX actions. This could allow any authenticated users, such as subscribers, to call these actions and add arbitrary products or change the plugin's settings.
Recommendations For versions prior to 5.0.26, update to version 5.0.26 or later to resolve the issue. As a temporary workaround, consider restricting access to the AJAX actions that are missing authorization and CSRF checks until a patch is available.

Exploit

Fix

Missing Authorization

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2021-24993

Affected Products

The Ultimate Product Catalog