Authorization Bypass in XforWooCommerce Add-On Plugins for WordPress
CVE-2021-4337
Key Information:
- Vendor
- Wordpress
- Status
- Vendor
- CVE Published:
- 7 June 2023
Summary
Multiple XforWooCommerce Add-On Plugins for WordPress have a vulnerability due to a missing capability check on the wp_ajax_svx_ajax_factory function. This flaw allows authenticated attackers with subscriber-level permissions and above to manipulate WordPress settings and plugin configurations. Attackers can gain unauthorized access to sensitive data, edit existing settings, or delete critical WordPress configurations. The affected plugins include several widely used WooCommerce add-ons, making it crucial for site administrators to update to patched versions to mitigate the risk.
Affected Version(s)
Add Product Tabs for WooCommerce * < 1.5.0
Autopilot SEO for WooCommerce * < 1.6.0
Bulk Add to Cart for WooCommerce * < 1.3.0
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved