CVE-2024-6799

Name of the Vulnerable Software and Affected Versions YITH Essential Kit for WooCommerce versions up to, and including, 2.34.0

Description The issue allows authenticated attackers with Subscriber-level access and above to modify data without proper authorization. This is due to a missing capability check on the activate module, deactivate module, and install module functions. As a result, attackers can install, activate, and deactivate plugins from a pre-defined list of available YITH plugins.

Recommendations For versions up to, and including, 2.34.0, update to a version higher than 2.34.0 to resolve the issue. As a temporary workaround, consider disabling the activate module, deactivate module, and install module functions until a patch is available.