← back
CVE-2022-4872

WooCommerce Chained Products < 2.12.0 - Unauthenticated Arbitrary Options Update to 'no'

CVSS 4.3 MEDIUMEPSS 0.3%
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.3EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
30 Jan 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Chained Products WordPress plugin before 2.12.0 does not have authorisation and CSRF checks, as well as does not ensure that the option to be updated belong to the plugin, allowing unauthenticated attackers to set arbitrary options to 'no'
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N