Cross site request forgery (csrf)

2022-02-0716:15:00

PRIOn knowledge base

www.prio-n.com

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.4%

JSON

The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin’s settings for example

CPENameOperatorVersion
ultimate_product_cataloglt5.0.26

CPE	Name	Operator	Version
	ultimate_product_catalog	lt	5.0.26

References

plugins.trac.wordpress.org/changeset/2650578

wpscan.com/vulnerability/514416fa-d915-4953-bf1b-6dbf40b4d7e5