Lucene search

[email protected]CVE-2021-24974

HistoryJan 24, 2022 - 8:15 a.m.

CVE-2021-24974

2022-01-2408:15:08

CWE-79

[email protected]

web.nvd.nist.gov

cve-2021-24974

product feed pro

woocommerce

wordpress

plugin

authorization

csrf

stored cross-site scripting

nvd

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

24.9%

JSON

The Product Feed PRO for WooCommerce WordPress plugin before 11.0.7 does not have authorisation and CSRF check in some of its AJAX actions, allowing any authenticated users to call then, which could lead to Stored Cross-Site Scripting issue (which will be triggered in the admin dashboard) due to the lack of escaping.

Affected configurations

Vulners

NVD

Node

adtribesproduct_feed_pro_for_woocommerceRange<11.0.7

VendorProductVersionCPE
adtribesproduct_feed_pro_for_woocommerce*cpe:2.3:a:adtribes:product_feed_pro_for_woocommerce:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
adtribes	product_feed_pro_for_woocommerce	*	cpe:2.3:a:adtribes:product_feed_pro_for_woocommerce::::::::

CNA Affected

[
  {
    "product": "Product Feed PRO for WooCommerce",
    "vendor": "Unknown",
    "versions": [
      {
        "lessThan": "11.0.7",
        "status": "affected",
        "version": "11.0.7",
        "versionType": "custom"
      }
    ]
  }
]