WordPress Plugin Vulnerabilities

YITH WooCommerce Product Add-Ons < 4.9.3 - Unauthenticated Content Injection

Description

The YITH WooCommerce Product Add-Ons plugin for WordPress is vulnerable to Content Injection in all versions up to, and including, 4.9.2. This is due to the plugin not properly validating a field that can be updated. This makes it possible for unauthenticated attackers to inject arbitrary content.

Affects Plugins

Plugin icon
yith-woocommerce-product-add-ons
Fixed in 4.9.3

References

CVE
CVE-2024-35680
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2f51c73c-0eea-43b1-afae-ee8e8708a3d3

Classification

Type
CONTENT INJECTION
OWASP top 10
A1: Injection
CWE
CWE-345
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Phill Sav (Savphill)
Verified
No
WPVDB ID
3511ee44-8fd0-483b-856c-309feb43856d

Timeline

Publicly Published
2024-06-06 (about 1 year ago)
Added
2024-06-14 (about 1 year ago)
Last Updated
2024-06-14 (about 1 year ago)

Other

Published
Title
Published
2026-02-26
Title
Fluent Forms Pro Add On Pack < 6.1.18 - Missing Authorization to Unauthenticated Payment Status modification
Published
2026-02-11
Title
WooODT Lite <= 2.5.2 - Unauthenticated Payment Bypass
Published
2022-11-29
Title
Quiz and Survey Master < 8.0.5 - Improper Input Validation
Published
2021-07-12
Title
Frontend File Manager < 18.3 - Unauthenticated HTML Injection
Published
2024-06-27
Title
WooCommerce < 9.0.0 - Shop Manager+ Content Injection