YITH Essential Kit for WooCommerce #1 <= 2.34.0 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install, Activation, and Deactivation

Vulnerability

The YITH Essential Kit for WooCommerce #1 plugin for WordPress versions up to and including 2.34.0 contains a missing capability check on the activate_module, deactivate_module, and install_module functions in class-yith-jetpack.php [2][3][4]. These functions are registered as AJAX actions (wp_ajax_*) without verifying that the user has the required permissions (e.g., install_plugins or activate_plugins). This allows any authenticated user to manipulate the plugin’s bundled modules.

Exploitation

An attacker must be authenticated with at least Subscriber-level access. By crafting AJAX requests to the wp-admin/admin-ajax.php endpoint with the appropriate action parameters, they can install, activate, or deactivate any of the pre-defined YITH plugins (such as YITH WooCommerce Wishlist) without authorization. No additional privileges or user interaction beyond being logged in are required.

Impact

A successful exploitation enables the attacker to arbitrarily install, activate, or deactivate YITH plugins from the kit’s predefined list. This could result in the activation of vulnerable plugins, deactivation of security-related modules, or installation of unnecessary plugins, potentially leading to further compromise or disruption of the WooCommerce site.

Mitigation

As of the publication date, no official security update has been confirmed; however, the plugin’s current version listed on WordPress.org is 2.51.0 [1], which may include the necessary capability checks. Users are advised to update to the latest version immediately. If no update is available, consider disabling the plugin or restricting access to the AJAX endpoints for low-privileged users until a fix is released.