PT-2023-12440 · Woocommerce+1 · Improved Product Options For Woocommerce+15

Jerome Bruandet

·

Published

2023-06-07

·

Updated

2023-06-21

·

CVE-2021-4337

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Product Filter for WooCommerce versions prior to 8.2.0 Improved Product Options for WooCommerce versions prior to 5.3.0 Improved Sale Badges for WooCommerce versions prior to 4.4.0 Share, Print and PDF Products for WooCommerce versions prior to 2.8.0 Product Loops for WooCommerce versions prior to 1.7.0 XforWooCommerce versions prior to 1.7.0 Package Quantity Discount versions prior to 1.2.0 Price Commander for WooCommerce versions prior to 1.3.0 Comment and Review Spam Control for WooCommerce versions prior to 1.5.0 Add Product Tabs for WooCommerce versions prior to 1.5.0 Autopilot SEO for WooCommerce versions prior to 1.6.0 Floating Cart versions prior to 1.3.0 Live Search for WooCommerce versions prior to 2.1.0 Bulk Add to Cart for WooCommerce versions prior to 1.3.0 Live Product Editor for WooCommerce versions prior to 4.7.0 Warranties and Returns for WooCommerce versions prior to 5.3.0
Description The issue is due to a missing capability check on the wp ajax svx ajax factory function, allowing authenticated attackers with subscriber-level permissions and above to bypass authorization. This enables them to read, edit, or delete WordPress settings, plugin settings, and arbitrarily list all users on a WordPress website.
Recommendations Update Product Filter for WooCommerce to version 8.2.0 or later. Update Improved Product Options for WooCommerce to version 5.3.0 or later. Update Improved Sale Badges for WooCommerce to version 4.4.0 or later. Update Share, Print and PDF Products for WooCommerce to version 2.8.0 or later. Update Product Loops for WooCommerce to version 1.7.0 or later. Update XforWooCommerce to version 1.7.0 or later. Update Package Quantity Discount to version 1.2.0 or later. Update Price Commander for WooCommerce to version 1.3.0 or later. Update Comment and Review Spam Control for WooCommerce to version 1.5.0 or later. Update Add Product Tabs for WooCommerce to version 1.5.0 or later. Update Autopilot SEO for WooCommerce to version 1.6.0 or later. Update Floating Cart to version 1.3.0 or later. Update Live Search for WooCommerce to version 2.1.0 or later. Update Bulk Add to Cart for WooCommerce to version 1.3.0 or later. Update Live Product Editor for WooCommerce to version 4.7.0 or later. Update Warranties and Returns for WooCommerce to version 5.3.0 or later.

Exploit

Fix

Missing Authorization

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2021-4337

Affected Products

Add Product Tabs For Woocommerce
Autopilot Seo For Woocommerce
Bulk Add To Cart For Woocommerce
Comment/Review Spam Control For Woocommerce
Floating Cart
Improved Product Options For Woocommerce
Improved Sale Badges For Woocommerce
Live Product Editor For Woocommerce
Live Search For Woocommerce
Package Quantity Discount
Price Commander For Woocommerce
Premmerce Product Filter For Woocommerce
Product Loops For Woocommerce
Share
Warranties/Returns For Woocommerce
Xforwoocommerce