CVE-2021-4337

Multiple XforWooCommerce Add-On Plugins (Various Versions) - Missing Authorization

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Sixteen XforWooCommerce Add-On Plugins for WordPress are vulnerable to authorization bypass due to a missing capability check on the wp_ajax_svx_ajax_factory function in various versions listed below. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to read, edit, or delete WordPress settings, plugin settings, and to arbitrarily list all users on a WordPress website. The plugins impacted are: Product Filter for WooCommerce < 8.2.0, Improved Product Options for WooCommerce < 5.3.0, Improved Sale Badges for WooCommerce < 4.4.0, Share, Print and PDF Products for WooCommerce < 2.8.0, Product Loops for WooCommerce < 1.7.0, XforWooCommerce < 1.7.0, Package Quantity Discount < 1.2.0, Price Commander for WooCommerce < 1.3.0, Comment and Review Spam Control for WooCommerce < 1.5.0, Add Product Tabs for WooCommerce < 1.5.0, Autopilot SEO for WooCommerce < 1.6.0, Floating Cart < 1.3.0, Live Search for WooCommerce < 2.1.0, Bulk Add to Cart for WooCommerce < 1.3.0, Live Product Editor for WooCommerce < 4.7.0, and Warranties and Returns for WooCommerce < 5.3.0.

*Credits: Jerome Bruandet

CVSS Scores

NISTv3.1 8.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-09-07 CVE Published
2023-06-06 CVE Reserved
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-11-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-862: Missing Authorization

CAPEC

References (3)

URL	Tag	Source
https://www.wordfence.com/threat-intel/vulnerabilities/id/05481984-7c18-4ec7-8d7c-831809c3e86b?source=cve	Third Party Advisory

URL	Date	SRC
https://blog.nintechnet.com/16-woocommerce-product-add-ons-plugins-fixed-vulnerabilities	2024-08-03

URL	Date	SRC

URL	Date	SRC
https://xforwoocommerce.com/blog/change-log/xforwoocommerce-1-7-0	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xforwoocommerce Search vendor "Xforwoocommerce"		Add Product Tabs Search vendor "Xforwoocommerce" for product "Add Product Tabs"				< 1.5.0 Search vendor "Xforwoocommerce" for product "Add Product Tabs" and version " < 1.5.0"		wordpress		Affected
Xforwoocommerce Search vendor "Xforwoocommerce"		Autopilot Seo Search vendor "Xforwoocommerce" for product "Autopilot Seo"				< 1.6.0 Search vendor "Xforwoocommerce" for product "Autopilot Seo" and version " < 1.6.0"		wordpress		Affected
Xforwoocommerce Search vendor "Xforwoocommerce"		Bulk Add To Cart Search vendor "Xforwoocommerce" for product "Bulk Add To Cart"				< 1.3.0 Search vendor "Xforwoocommerce" for product "Bulk Add To Cart" and version " < 1.3.0"		wordpress		Affected
Xforwoocommerce Search vendor "Xforwoocommerce"		Comment And Review Spam Control Search vendor "Xforwoocommerce" for product "Comment And Review Spam Control"				< 1.5.0 Search vendor "Xforwoocommerce" for product "Comment And Review Spam Control" and version " < 1.5.0"		wordpress		Affected
Xforwoocommerce Search vendor "Xforwoocommerce"		Floating Cart Search vendor "Xforwoocommerce" for product "Floating Cart"				< 1.3.0 Search vendor "Xforwoocommerce" for product "Floating Cart" and version " < 1.3.0"		wordpress		Affected
Xforwoocommerce Search vendor "Xforwoocommerce"		Improved Product Options Search vendor "Xforwoocommerce" for product "Improved Product Options"				< 5.3.0 Search vendor "Xforwoocommerce" for product "Improved Product Options" and version " < 5.3.0"		wordpress		Affected
Xforwoocommerce Search vendor "Xforwoocommerce"		Improved Sale Badges Search vendor "Xforwoocommerce" for product "Improved Sale Badges"				< 4.4.0 Search vendor "Xforwoocommerce" for product "Improved Sale Badges" and version " < 4.4.0"		wordpress		Affected
Xforwoocommerce Search vendor "Xforwoocommerce"		Live Product Editor Search vendor "Xforwoocommerce" for product "Live Product Editor"				< 4.7.0 Search vendor "Xforwoocommerce" for product "Live Product Editor" and version " < 4.7.0"		wordpress		Affected
Xforwoocommerce Search vendor "Xforwoocommerce"		Live Search Search vendor "Xforwoocommerce" for product "Live Search"				< 2.1.0 Search vendor "Xforwoocommerce" for product "Live Search" and version " < 2.1.0"		wordpress		Affected
Xforwoocommerce Search vendor "Xforwoocommerce"		Package Quantity Search vendor "Xforwoocommerce" for product "Package Quantity"				< 1.2.0 Search vendor "Xforwoocommerce" for product "Package Quantity" and version " < 1.2.0"		wordpress		Affected
Xforwoocommerce Search vendor "Xforwoocommerce"		Price Commander Search vendor "Xforwoocommerce" for product "Price Commander"				< 1.3.0 Search vendor "Xforwoocommerce" for product "Price Commander" and version " < 1.3.0"		wordpress		Affected
Xforwoocommerce Search vendor "Xforwoocommerce"		Product Filter Search vendor "Xforwoocommerce" for product "Product Filter"				< 8.2.0 Search vendor "Xforwoocommerce" for product "Product Filter" and version " < 8.2.0"		wordpress		Affected
Xforwoocommerce Search vendor "Xforwoocommerce"		Product Loops Search vendor "Xforwoocommerce" for product "Product Loops"				< 1.7.0 Search vendor "Xforwoocommerce" for product "Product Loops" and version " < 1.7.0"		wordpress		Affected
Xforwoocommerce Search vendor "Xforwoocommerce"		Share\, Print And Pdf Products Search vendor "Xforwoocommerce" for product "Share\, Print And Pdf Products"				< 2.8.0 Search vendor "Xforwoocommerce" for product "Share\, Print And Pdf Products" and version " < 2.8.0"		wordpress		Affected
Xforwoocommerce Search vendor "Xforwoocommerce"		Warranties And Returns Search vendor "Xforwoocommerce" for product "Warranties And Returns"				< 5.3.0 Search vendor "Xforwoocommerce" for product "Warranties And Returns" and version " < 5.3.0"		wordpress		Affected
Xforwoocommerce Search vendor "Xforwoocommerce"		Xforwoocommerce Search vendor "Xforwoocommerce" for product "Xforwoocommerce"				< 1.7.0 Search vendor "Xforwoocommerce" for product "Xforwoocommerce" and version " < 1.7.0"		wordpress		Affected