This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU22547
Risk: Low
CVSSv3.1:
CVE-ID: CVE-2019-16251
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the “plugin-fw/lib/yit-plugin-panel-wc.php” script. A remote authenticated attacker can bypass implemented security restrictions and modify the plugin options.
MitigationInstall updates from vendor's website.
Vulnerable software versionsYITH Desktop Notifications for WooCommerce: 1.0.0 - 1.2.7
YITH PayPal Express Checkout for WooCommerce: 1.0.0 - 1.2.5
YITH WooCommerce Recover Abandoned Cart: 1.2.1 - 1.3.3
YITH WooCommerce Questions and Answers: 1.0.0 - 1.1.9
YITH WooCommerce Multi Vendor: 1.6.9 - 3.4.0
YITH WooCommerce Mailchimp: 1.0.0 - 2.1.3
YITH WooCommerce Best Sellers: 1.0.0 - 1.1.12
YITH WooCommerce Authorize.net Payment Gateway: 1.0.0 - 1.1.12
YITH Advanced Refund System for WooCommerce: 1.0.0 - 1.0.11
YITH WooCommerce Points and Rewards: 1.0.0 - 1.3.5
YITH WooCommerce Waiting List: 1.0.0 - 1.3.10
YITH WooCommerce Stripe: 1.0.0 - 2.0.1
YITH WooCommerce Bulk Product Editing: 1.0.0 - 1.2.14
YITH WooCommerce Added to Cart Popup: 1.0.0 - 1.3.12
YITH Product Size Charts for WooCommerce: 1.0.0 - 1.1.12
YITH Custom Thank You Page for Woocommerce: 1.0.0 - 1.1.7
YITH Color and Label Variations for WooCommerce: 1.8.1 - 1.8.12
YITH WooCommerce Multi-step Checkout: 1.4.0 - 1.7.4
YITH WooCommerce Frequently Bought Together: 1.0.1 - 1.2.10
YITH WooCommerce Product Bundles: 1.0.0 - 1.1.16
YITH WooCommerce Cart Messages: 1.2.1 - 1.4.4
YITH WooCommerce Affiliates: 1.0.0 - 1.6.2
YITH WooCommerce Subscription: 1.2.0 - 1.3.5
YITH WooCommerce Gift Cards: 1.0.0 - 1.3.7
YITH WooCommerce Product Add-Ons: 1.0.0 - 1.5.21
YITH WooCommerce Advanced Reviews: 1.0.3 - 1.3.9
YITH Pre-Order for WooCommerce: 1.0.0 - 1.2.0
YITH WooCommerce PDF Invoice and Shipping List: 1.0.0 - 1.2.12
YITH WooCommerce Order Tracking: 1.0.0 - 1.2.10
YITH WooCommerce Social Login: 1.2.0 - 1.3.5
YITH WooCommerce Request A Quote: 1.0.0 - 1.4.8
YITH WooCommerce Brands Add-On: 1.0.0 - 1.3.6
YITH WooCommerce Badge Management: 1.0.0 - 1.3.20
YITH WooCommerce Ajax Search: 1.0.0 - 1.7.0
YITH WooCommerce Zoom Magnifier: 1.0.0 - 1.3.11
YITH WooCommerce Quick View: 1.0.0 - 1.3.14
YITH WooCommerce Compare: 1.0.0 - 2.3.14
YITH WooCommerce Wishlist: 1.0.0 - 2.2.13
http://blog.nintechnet.com/authenticated-settings-change-vulnerability-in-yit-plugin-framework/
http://wpvulndb.com/vulnerabilities/9932
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?