CVE-2021-24993

CVE-2021-24993: Ultimate Product Catalog < 5.0.26 - Subscriber+ Arbitrary Product Creation & Settings Update

Vendor Unknown

Product Ultimate Product Catalog – WordPress Catalog Plugin

Weakness CWE-862 · Missing authorization

Published February 7, 2022

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example

Key dates

02Disclosure timeline

February 7, 2022 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24993 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2024-32146 WordPress Aspose.Words – Import and Export word documents plugin <= 6.3.1 - Broken Access Control vulnerability CVE-2025-5812 VG WORT METIS <= 2.0.0 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update CVE-2026-26368 JUNG eNet SMART HOME server 2.2.1/2.3.1 Account Takeover via resetUserPassword CVE-2024-24883 WordPress Prime Slider plugin <= 3.11.10 - Broken Access Control on Duplicate Post vulnerability CVE-2025-62070 WordPress WowRevenue plugin <= 1.2.13 - Broken Access Control vulnerability