CVE-2024-13511

Name of the Vulnerable Software and Affected Versions Variation Swatches for WooCommerce versions 1.0.8 through 1.3.2

Description The issue is due to improper nonce verification in the settings reset functionality. It exists in the settings init() function, which processes a reset action based on specific query parameters in the URL. The related delete settings() function performs a faulty nonce validation check, making the reset operation insecure and susceptible to unauthorized access.

Recommendations For versions 1.0.8 through 1.3.2, consider disabling the settings init() function and the delete settings() function until a patch is available to prevent unauthorized access to the settings reset functionality. Restrict access to the settings reset functionality to minimize the risk of exploitation. Avoid using specific query parameters in the URL that trigger the reset action until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.