Описание
The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example
Ссылки
- PatchThird Party Advisory
- ExploitThird Party Advisory
- PatchThird Party Advisory
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 5.0.26 (исключая)
cpe:2.3:a:etoilewebdesign:ultimate_product_catalog:*:*:*:*:*:wordpress:*:*
EPSS
Процентиль: 39%
0.00175
Низкий
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-862
CWE-352
Связанные уязвимости
CVSS3: 6.5
github
почти 4 года назад
The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example
EPSS
Процентиль: 39%
0.00175
Низкий
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-862
CWE-352