CVE-2022-2555 – Yotpo Reviews for WooCommerce <= 2.0.4 - Arbitrary Settings Update via CSRF

https://notcve.org/view.php?id=CVE-2022-2555

The Yotpo Reviews for WooCommerce WordPress plugin through 2.0.4 lacks nonce check when updating its settings, which could allow attacker to make a logged in admin change them via a CSRF attack. El plugin Yotpo Reviews for WooCommerce de WordPress versiones hasta 2.0.4, carece de comprobación de nonce cuando es actualizada su configuración, lo que podría permitir a un atacante hacer que un administrador conectado los cambie por medio de un ataque de tipo CSRF. The Yotpo Reviews for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation when modifying plugin settings. This makes it possible for unauthenticated attackers to trigger changes to the plugin's own settings via forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wpscan.com/vulnerability/7ec9e493-bc48-4a5d-8c7e-34beaba892ae • CWE-352: Cross-Site Request Forgery (CSRF) •