The plugin does not have authorisation and CSRF checks in the tawcvs_save_settings, update_attribute_type_setting and update_product_attr_type AJAX actions, allowing any authenticated users to call them. The tawcvs_save_settings could especially be used to update the pluginβs settings and add XSS payloads
CPE | Name | Operator | Version |
---|---|---|---|
variation-swatches-for-woocommerce | lt | 2.1.2 |