cbcvebase.
CVE-2022-28666
published 2022-07-21

CVE-2022-28666: Broken Access Control vulnerability in YIKES Inc. Custom Product Tabs for WooCommerce plugin <= 1.7.7 at WordPress leading to &yikes-the-content-toggle option…

PriorityP278medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.23%
65.1th percentile
Broken Access Control vulnerability in YIKES Inc. Custom Product Tabs for WooCommerce plugin <= 1.7.7 at WordPress leading to &yikes-the-content-toggle option update.

Affected

2 ranges
VendorProductVersion rangeFixed in
yikes_inccustom_product_tabs_for_woocommercen/a – 1.7.7
yikesinccustom_product_tabs_for_woocommerce<= 1.7.7

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /wp-json/yikes/cpt/v1/settings
othertoggle_the_content=false
  • Detect unauthenticated POST requests to the /wp-json/yikes/cpt/v1/settings endpoint with the toggle_the_content parameter in the body — this is the exploit path for CVE-2022-28666.
  • Successful exploitation returns a JSON response body containing both 'success' and 'Settings updated' with HTTP 200 and Content-Type application/json.
  • Use the publicwww fingerprint query 'yikes-inc-easy-custom' to identify WordPress sites running the vulnerable Custom Product Tabs for WooCommerce plugin.
  • The vulnerability is in the &yikes-the-content-toggle option update — monitor for unauthorized changes to this WordPress option as a post-exploitation indicator.
  • ·The Nuclei template is marked 'intrusive' — running it against a target will actively modify the toggle_the_content setting; use with caution in production environments.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.