WordPress Plugin Vulnerabilities

Pure WC Variation Swatches <= 1.1.7 - Unauthenticated Settings Update

Description

The plugin does not have an authorization check when updating its settings, which could allow any authenticated users to update them.

Proof of Concept

Affects Plugins

Plugin icon
pure-wc-variations-swatches
No known fix

References

CVE
CVE-2025-12820

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Khaled Alenazi (Nxploited)
Submitter
Khaled Alenazi (Nxploited)
Submitter website
https://github.com/Nxploited
Verified
Yes
WPVDB ID
36ccd54a-265a-44d5-b788-bc14446e3098

Timeline

Publicly Published
2025-11-28 (about 1 month ago)
Added
2025-11-21 (about 1 month ago)
Last Updated
2025-11-21 (about 1 month ago)

Other

Published
Title
Published
2024-04-16
Title
Support Genix < 1.2.4 - Missing Authorization
Published
2024-04-29
Title
Democracy Poll <= 6.1.1 - Missing Authorization
Published
2025-06-05
Title
DocsPress < 2.5.3 - Missing Authorization
Published
2024-09-24
Title
HUSKY – Products Filter Professional for WooCommerce < 1.3.6.2 - Insecure Direct Object Reference to Unsubscribe
Published
2024-01-02
Title
Product Expiry for WooCommerce < 2.6 - Subscriber+ Settings Update