CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-13511: Variation Swatches for WooCommerce 1.0.8 - 1.3.2 - Cross-Site Request Forgery to Plugin Settings Reset

4.3 CVSS

Description

The Variation Swatches for WooCommerce plugin, in all versions starting at 1.0.8 up until 1.3.2, contains a vulnerability due to improper nonce verification in its settings reset functionality. The issue exists in the settings_init() function, which processes a reset action based on specific query parameters in the URL. The related delete_settings() function performs a faulty nonce validation check, making the reset operation insecure and susceptible to unauthorized access.

Classification

CVE ID: CVE-2024-13511

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

Affected Products

Vendor: themehunk

Product: Variation Swatches for WooCommerce

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 23.55% (scored less or equal to compared to others)

EPSS Date: 2025-02-21 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/6c43b9b4-4394-428a-b381-d6a776fcd130?source=cve
https://plugins.trac.wordpress.org/browser/th-variation-swatches/tags/1.3.1/inc/thvs-settings.php
https://plugins.trac.wordpress.org/changeset/3226822/th-variation-swatches/trunk/inc/thvs-settings.php

Timeline

2025-01-24 00:30:16 UTC
CVE

Variation Swatches for WooCommerce 1.0.8 - 1.3.2 - Cross-Site Request Forgery to Plugin Settings Reset