Vulnerabilities and security researches foryikes-inc-easy-custom-woocommerce-product-tabs yikes-inc-easy-custom-woocommerce-product-tabs

Jun 07, 2024

CVE, Research URL: CVE-2022-43463
Home page URL: Security reports for Custom Product Tabs for WooCommerce
Application: Custom Product Tabs for WooCommerce
Date: Nov 19, 2022
Research Description: Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Custom Product Tabs for WooCommerce plugin <= 1.7.9 on WordPress.
Affected versions: max 1.8.0.
Status: vulnerable

CVE, Research URL: CVE-2022-28666
Home page URL: Security reports for Custom Product Tabs for WooCommerce
Application: Custom Product Tabs for WooCommerce
Date: Jul 21, 2022
Research Description: Broken Access Control vulnerability in YIKES Inc. Custom Product Tabs for WooCommerce plugin <= 1.7.7 at WordPress leading to &yikes-the-content-toggle option update.
Affected versions: max 1.7.9.
Status: vulnerable

Jan 07, 2025

CVE, Research URL: CVE-2024-11465
Home page URL: Security reports for Custom Product Tabs for WooCommerce
Application: Custom Product Tabs for WooCommerce
Date: Jan 07, 2025
Research Description: The Custom Product Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8.5 via deserialization of untrusted input in the 'yikes_woo_products_tabs' post meta parameter. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Affected versions: max 1.8.6.
Status: vulnerable