CVE-2022-44630

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the YITH WooCommerce Product Slider Carousel plugin for WordPress, versions from n/a through 1.16.0. The vulnerability allows an attacker to perform unwanted actions on behalf of a privileged user by tricking them into clicking a malicious link or submitting a crafted form [1].

Exploitation

To exploit this vulnerability, an attacker must craft a malicious request and deliver it to a logged-in user with higher privileges (e.g., administrator). The attacker does not require direct network access to the server. User interaction is required: the victim must click a malicious link, visit a crafted page, or submit a form while authenticated to the WordPress site [1].

Impact

Successful exploitation could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication session, leading to unauthorized changes within the plugin's settings or other affected functionality [1].

Mitigation

This security issue has been fixed in version 1.16.1 or later. Users are advised to update to version 1.16.1 or later to resolve the vulnerability. Patchstack users can turn on auto-update for vulnerable plugins only [1].