Primary

Context

Pure WC Variation Swatches WordPress Plugin Missing Authorization Vulnerability in Settings Update

Vulnerability

A vulnerability exists in the Pure WC Variation Swatches WordPress plugin, affecting versions through 1.1.7. The issue arises because the plugin lacks proper authorization checks when updating settings. This flaw could enable any authenticated user to modify the settings.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in the plugin's settings by any authenticated user.

Reproduction

To reproduce this vulnerability, send a POST request to 'wp-admin/admin-ajax.php' with the action 'tpwvs_update_settings'. Include the settings data for 'tpwvs_general', 'tpwvs_shop', or 'tpwvs_style' in the request. The absence of an authorization check will allow the settings to be updated without proper permissions.

Added: Dec 20, 2025, 6:16 AM

Updated: Dec 20, 2025, 6:16 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.6

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.6

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Pure WC Variation Swatches WordPress Plugin Missing Authorization Vulnerability in Settings Update

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating