CVE-2021-24993

MEDIUM

The Ultimate Product Catalog WP <5.0.26 - CSRF

Title source: llm
STIX 2.1

Description

The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/514416fa-d915-4953-bf1b-6dbf40b4d7e5
Patch, Third Party Advisory x_refsource_confirm
https://plugins.trac.wordpress.org/changeset/2650578

Scores

CVSS v3 6.5
EPSS 0.0047
EPSS Percentile 37.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-352 CWE-862
Status published
Products (1)
etoilewebdesign/ultimate_product_catalog < 5.0.26
Published Feb 07, 2022
Tracked Since Feb 18, 2026