WordPress WooCommerce Products Without Featured Images Plugin Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WordPress WooCommerce Products Without Featured Images plugin, specifically in versions through 0.1. This vulnerability allows for Reflected Cross-Site Scripting (XSS) attacks. The issue arises because the plugin does not properly validate requests, enabling attackers to trick users with higher privileges into performing actions that could lead to XSS vulnerabilities.

Impact

Exploitation of this vulnerability could allow attackers to perform actions on behalf of users with higher privileges, potentially leading to Reflected Cross-Site Scripting (XSS) vulnerabilities.

Remediation

Users are advised to deactivate the WooCommerce Products Without Featured Images plugin, as it is likely abandoned and will not receive further updates or fixes. Note that deactivating the plugin does not remove the security threat unless a virtual patch is applied. Patchstack has issued a virtual patch to mitigate this vulnerability by blocking attacks until an official fix is available.