Vulnerabilities > CVE-2021-42367 - Missing Authorization vulnerability in Variation Swatches for Woocommerce Project Variation Swatches for Woocommerce
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
The Variation Swatches for WooCommerce WordPress plugin is vulnerable to Stored Cross-Site Scripting via several parameters found in the ~/includes/class-menu-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1. Due to missing authorization checks on the tawcvs_save_settings function, low-level authenticated users such as subscribers can exploit this vulnerability.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2634227%40variation-swatches-for-woocommerce&new=2634227%40variation-swatches-for-woocommerce&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2634227%40variation-swatches-for-woocommerce&new=2634227%40variation-swatches-for-woocommerce&sfp_email=&sfph_mail=
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-42367
- https://www.wordfence.com/vulnerability-advisories/#CVE-2021-42367