Improper Nonce Verification in Variation Swatches Plugin for WooCommerce by WordPress
CVE-2024-13511

4.3MEDIUM

Key Information:

Vendor
Themehunk
Status
Variation Swatches For WooCommerce
Vendor
CVE Published:
23 January 2025

Summary

The Variation Swatches for WooCommerce plugin suffers from improper nonce verification, allowing attackers to exploit vulnerabilities in its settings reset feature. This issue arises from the settings_init() function, which improperly handles reset actions by relying on specific URL query parameters. The faulty nonce validation carried out by the delete_settings() function exposes the plugin to potential unauthorized access, making the reset process insecure and a target for malicious actors.

Affected Version(s)

Variation Swatches for WooCommerce 1.0.8 <= 1.3.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/th-variation-s...
https://plugins.trac.wordpress.org/changeset/3226822/th-v...

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

lucky_buddy
.