The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example
References
Link | Resource |
---|---|
https://plugins.trac.wordpress.org/changeset/2650578 | Patch Third Party Advisory |
https://wpscan.com/vulnerability/514416fa-d915-4953-bf1b-6dbf40b4d7e5 | Exploit Third Party Advisory |
Configurations
Information
Published : 2022-02-07 08:15
Updated : 2022-10-25 06:47
NVD link : CVE-2021-24993
Mitre link : CVE-2021-24993
JSON object : View
CWE
CWE-352
Cross-Site Request Forgery (CSRF)
Products Affected
etoilewebdesign
- ultimate_product_catalog