WordPress Plugin Vulnerabilities

Multiple YITH WooCommerce plugins - Cross-Site Scripting via shortcode ajax

Description

Multiple plugins from YITH does not protect its ajax actions against CSRF attacks, allowing an attacker to trick a logged in user to perform actions on their behalf by submitting a crafted request.

Affects Plugins

Plugin icon
yith-woocommerce-wishlist
Fixed in 3.15.0
Plugin icon
yith-woocommerce-compare
Fixed in 2.20.1
Plugin icon
yith-woocommerce-quick-view
Fixed in 1.21.1
Plugin icon
yith-woocommerce-catalog-mode
Fixed in 2.16.1
Plugin icon
yith-woocommerce-order-tracking
Fixed in 2.8.0
Plugin icon
yith-essential-kit-for-woocommerce-1
Fixed in 2.14.0
Plugin icon
yith-infinite-scrolling
Fixed in 1.8.0

References

CVE
CVE-2022-44630
URL
https://blog.sucuri.net/2022/12/wordpress-vulnerability-patch-roundup-december-2022.html

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lana Codes
Verified
No
WPVDB ID
80974444-d531-4eda-8955-6d66d3d7f840

Timeline

Publicly Published
2022-12-05 (about 3 years ago)
Added
2022-12-29 (about 3 years ago)
Last Updated
2022-12-29 (about 3 years ago)

Other

Published
Title
Published
2021-07-02
Title
Woostify < 1.9.2 - CSRF Bypass
Published
2024-12-12
Title
ECT Social Share <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Published
2025-09-26
Title
VM Menu Reorder plugin <= 1.0.0 - Cross-Site Request Forgery to Settings Update
Published
2023-10-16
Title
HTML5 Maps < 1.7.1.5 - Arbitrary Settings Update via CSRF
Published
2025-04-04
Title
Official CleverReach Plugin for WooCommerce < 3.4.7 - Settings Update via CSRF