WordPress Plugin Vulnerabilities

YITH WooCommerce Product Add-Ons < 4.2.1 - Missing Authorization

Description

The YITH WooCommerce Product Add-Ons plugin for WordPress is vulnerable to unauthorized functionality due to a missing capability check on two of its AJAX actions in versions up to, and including, 4.2.0. This makes it possible for unauthenticated attackers to make use of this functionality and allows them to enable and disable blocks and addons.

Affects Plugins

Plugin icon
yith-woocommerce-product-add-ons
Fixed in 4.2.1

References

CVE
CVE-2023-46635
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7e95773c-b968-47b3-8ae7-9a8d3389666c

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Elliot
Verified
No
WPVDB ID
a0819101-37d0-4b8e-88b0-7bcd2af3a663

Timeline

Publicly Published
2023-10-25 (about 2 years ago)
Added
2023-11-23 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2026-04-16
Title
wpForo Forum < 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Forum Post Modification via 'guestposting' Parameter
Published
2026-04-29
Title
Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management < 4.6.20 - Missing Authorization
Published
2024-01-25
Title
10Web AI Assistant – AI content writing assistant < 1.0.19 - Missing Authorization to Arbitrary Plugin Installation
Published
2026-02-19
Title
iZooto <= 3.7.20 - Missing Authorization
Published
2025-08-14
Title
Nexter Blocks < 4.5.5 - Missing Authorization