#VU22547 Improper access control in YITH products - CVE-2019-16251
Published: November 6, 2019
Vulnerability identifier: #VU22547
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2019-16251
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
YITH Desktop Notifications for WooCommerce
YITH PayPal Express Checkout for WooCommerce
YITH WooCommerce Recover Abandoned Cart
YITH WooCommerce Questions and Answers
YITH WooCommerce Multi Vendor
YITH WooCommerce Mailchimp
YITH WooCommerce Best Sellers
YITH WooCommerce Authorize.net Payment Gateway
YITH Advanced Refund System for WooCommerce
YITH WooCommerce Points and Rewards
YITH WooCommerce Waiting List
YITH WooCommerce Stripe
YITH WooCommerce Bulk Product Editing
YITH WooCommerce Added to Cart Popup
YITH Product Size Charts for WooCommerce
YITH Custom Thank You Page for Woocommerce
YITH Color and Label Variations for WooCommerce
YITH WooCommerce Multi-step Checkout
YITH WooCommerce Frequently Bought Together
YITH WooCommerce Product Bundles
YITH WooCommerce Cart Messages
YITH WooCommerce Affiliates
YITH WooCommerce Subscription
YITH WooCommerce Gift Cards
YITH WooCommerce Product Add-Ons
YITH WooCommerce Advanced Reviews
YITH Pre-Order for WooCommerce
YITH WooCommerce PDF Invoice and Shipping List
YITH WooCommerce Order Tracking
YITH WooCommerce Social Login
YITH WooCommerce Request A Quote
YITH WooCommerce Brands Add-On
YITH WooCommerce Badge Management
YITH WooCommerce Ajax Search
YITH WooCommerce Zoom Magnifier
YITH WooCommerce Quick View
YITH WooCommerce Compare
YITH WooCommerce Wishlist
YITH Desktop Notifications for WooCommerce
YITH PayPal Express Checkout for WooCommerce
YITH WooCommerce Recover Abandoned Cart
YITH WooCommerce Questions and Answers
YITH WooCommerce Multi Vendor
YITH WooCommerce Mailchimp
YITH WooCommerce Best Sellers
YITH WooCommerce Authorize.net Payment Gateway
YITH Advanced Refund System for WooCommerce
YITH WooCommerce Points and Rewards
YITH WooCommerce Waiting List
YITH WooCommerce Stripe
YITH WooCommerce Bulk Product Editing
YITH WooCommerce Added to Cart Popup
YITH Product Size Charts for WooCommerce
YITH Custom Thank You Page for Woocommerce
YITH Color and Label Variations for WooCommerce
YITH WooCommerce Multi-step Checkout
YITH WooCommerce Frequently Bought Together
YITH WooCommerce Product Bundles
YITH WooCommerce Cart Messages
YITH WooCommerce Affiliates
YITH WooCommerce Subscription
YITH WooCommerce Gift Cards
YITH WooCommerce Product Add-Ons
YITH WooCommerce Advanced Reviews
YITH Pre-Order for WooCommerce
YITH WooCommerce PDF Invoice and Shipping List
YITH WooCommerce Order Tracking
YITH WooCommerce Social Login
YITH WooCommerce Request A Quote
YITH WooCommerce Brands Add-On
YITH WooCommerce Badge Management
YITH WooCommerce Ajax Search
YITH WooCommerce Zoom Magnifier
YITH WooCommerce Quick View
YITH WooCommerce Compare
YITH WooCommerce Wishlist
Software vendor:
YITH
YITH
Description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the “plugin-fw/lib/yit-plugin-panel-wc.php” script. A remote authenticated attacker can bypass implemented security restrictions and modify the plugin options.
Remediation
Install updates from vendor's website.