PT-2022-9575 · WordPress · Ppom For Woocommerce
Krzysztof Zając
·
Published
2022-02-14
·
Updated
2022-02-19
·
CVE-2021-25018
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
PPOM for WooCommerce WordPress plugin versions prior to 24.0
Description
The issue concerns a lack of authorisation and CSRF checks in the
ppom settings panel action AJAX action, allowing any authenticated user to call it and set arbitrary settings. This could also lead to Stored XSS issues due to insufficient sanitisation and escaping.Recommendations
For versions prior to 24.0, update to version 24.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the
ppom settings panel action AJAX action to prevent unauthorised changes to settings. Additionally, restrict the use of the ppom settings panel action function until a patch is available.Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ppom For Woocommerce