ThemeHunk Variation Swatches for WooCommerce
Moderate fix1 remedy
cpe:2.3:a:variation_swatches_for_woocommerce_project:variation_swatches_for_woocommerce:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- >= 1.0.8, <= 1.3.2
Variation Swatches for WooCommerce Cross-Site Request Forgery Vulnerability
Vulnerability
Patched
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Variation Swatches for WooCommerce plugin, affecting versions 1.0.8 prior to 1.3.2. The vulnerability arises from inadequate nonce verification in the plugin's settings reset feature. Specifically, the issue is located in the settings_init() function, which handles reset actions based on certain query parameters in the URL. The associated delete_settings() function fails to properly validate nonces, rendering the reset process insecure and open to unauthorized access.
Impact
Exploitation of this vulnerability allows for Cross-Site Request Forgery, where an attacker can trick a user into performing actions without their consent, potentially leading to unauthorized changes in the plugin's settings.
Reproduction
To reproduce this vulnerability, a request can be sent to the WordPress site with the 'reset' parameter included in the URL. This request should also include a nonce that bypasses the expected validation. The settings will be reset without proper authorization, demonstrating the vulnerability.
Remediation
Users are advised to update the Variation Swatches for WooCommerce plugin to version 1.3.3 or a newer patched version.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
0.6exploitability
7.6remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.