WordPress Plugin Vulnerabilities

Variation Swatches for WooCommerce 1.0.8 - 1.3.2 - Cross-Site Request Forgery to Plugin Settings Reset

Description

The Variation Swatches for WooCommerce plugin, in all versions starting at 1.0.8 up until 1.3.2, contains a vulnerability due to improper nonce verification in its settings reset functionality. The issue exists in the settings_init() function, which processes a reset action based on specific query parameters in the URL. The related delete_settings() function performs a faulty nonce validation check, making the reset operation insecure and susceptible to unauthorized access.

Affects Plugins

Plugin icon
th-variation-swatches
Fixed in 1.3.3

References

CVE
CVE-2024-13511
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6c43b9b4-4394-428a-b381-d6a776fcd130

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
lucky_buddy
Verified
No
WPVDB ID
e07eefa9-79d4-4fd9-9ceb-b088d0f89932

Timeline

Publicly Published
2025-01-22 (about 1 year ago)
Added
2025-01-22 (about 1 year ago)
Last Updated
2025-01-23 (about 1 year ago)

Other

Published
Title
Published
2024-06-21
Title
ContentLock < 1.0.4 - Settings Update via CSRF
Published
2023-09-25
Title
BEAR for WordPress < 1.1.4 - Arbitrary Settings Update via CSRF
Published
2023-10-06
Title
GoodBarber < 1.0.24 - Settings Update via CSRF
Published
2023-11-07
Title
Donations Made Easy – Smart Donations <= 4.0.12 - Cross-Site Request Forgery
Published
2023-12-27
Title
Job Manager & Career – Manage job board listings, and recruitments < 1.4.5 - Cross-Site Request Forgery to PHP Object Injection