WordPress Plugin Vulnerabilities

YITH WooCommerce Product Add-Ons < 2.1.0 - Authenticated Local File Inclusion

Description

The plugin does not validate user input before using it to generate a local path passed to include(), which could lead to a Local File Inclusion issue on Windows Web Servers

Proof of Concept

Affects Plugins

Plugin icon
yith-woocommerce-product-add-ons
Fixed in 2.1.0

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
e603d736-9a13-42c8-be18-653df392afb8

Timeline

Publicly Published
2021-09-20 (about 4 years ago)
Added
2021-09-20 (about 4 years ago)
Last Updated
2021-09-20 (about 4 years ago)

Other

Published
Title
Published
2026-02-10
Title
Beaver Builder Page Builder – Drag and Drop Website Builder < 2.10.0.6 - Authenticated (Custom+) Missing Authorization to Stored Cross-Site Scripting via Global Settings
Published
2023-02-10
Title
Link Juice Keeper < 2.0.3 - Admin+ Stored XSS
Published
2024-11-08
Title
Browsing History <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-12-05
Title
Spectra < 2.7.10 - Contributor+ Stored XSS
Published
2017-10-08
Title
Import any XML or CSV File to WordPress <= 3.4.5 - Cross-Site Scripting (XSS)