Vulnerabilities and security researches foryith-essential-kit-for-woocommerce-1 yith-essential-kit-for-woocommerce-1

Jun 07, 2024

CVE, Research URL: c1c4ceda507bfb133a9fe97e93b9caf47601a16f
Home page URL: Security reports for YITH Essential Kit for WooCommerce #1
Application: YITH Essential Kit for WooCommerce #1
Date: -
Research Description: YITH Essential Kit for WooCommerce #1 [yith-essential-kit-for-woocommerce-1] < 2.14.0 WordPress YITH Essential Kit for WooCommerce #1 Plugin <= 2.13.0 is vulnerable to Cross Site Request Forgery (CSRF) Update the WordPress YITH Essential Kit for WooCommerce #1 plugin to the latest available version (at least 2.14.0). Lana Codes discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress YITH Essential Kit for WooCommerce #1 Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 2.14.0.
Affected versions: max 2.14.0.
Status: vulnerable

Aug 08, 2024

CVE, Research URL: CVE-2024-6799
Home page URL: Security reports for YITH Essential Kit for WooCommerce #1
Application: YITH Essential Kit for WooCommerce #1
Date: Jul 19, 2024
Research Description: The YITH Essential Kit for WooCommerce #1 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_module', 'deactivate_module', and 'install_module' functions in all versions up to, and including, 2.34.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install, activate, and deactivate plugins from a pre-defined list of available YITH plugins.
Affected versions: max 2.35.0.
Status: vulnerable