CVE-2022-28666
published 2022-07-21CVE-2022-28666: Broken Access Control vulnerability in YIKES Inc. Custom Product Tabs for WooCommerce plugin <= 1.7.7 at WordPress leading to &yikes-the-content-toggle option…
PriorityP278medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.23%
65.1th percentile
Broken Access Control vulnerability in YIKES Inc. Custom Product Tabs for WooCommerce plugin <= 1.7.7 at WordPress leading to &yikes-the-content-toggle option update.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yikes_inc | custom_product_tabs_for_woocommerce | n/a – 1.7.7 | — |
| yikesinc | custom_product_tabs_for_woocommerce | <= 1.7.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to the /wp-json/yikes/cpt/v1/settings endpoint with the toggle_the_content parameter in the body — this is the exploit path for CVE-2022-28666. ↗
- →Successful exploitation returns a JSON response body containing both 'success' and 'Settings updated' with HTTP 200 and Content-Type application/json. ↗
- →Use the publicwww fingerprint query 'yikes-inc-easy-custom' to identify WordPress sites running the vulnerable Custom Product Tabs for WooCommerce plugin. ↗
- →The vulnerability is in the &yikes-the-content-toggle option update — monitor for unauthorized changes to this WordPress option as a post-exploitation indicator. ↗
- ·The Nuclei template is marked 'intrusive' — running it against a target will actively modify the toggle_the_content setting; use with caution in production environments. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g33g-qhjr-v6fq: Broken Access Control vulnerability in YIKES Inc
ghsa_unreviewed·2022-07-22
CVE-2022-28666 [MEDIUM] CWE-269 GHSA-g33g-qhjr-v6fq: Broken Access Control vulnerability in YIKES Inc
Broken Access Control vulnerability in YIKES Inc. Custom Product Tabs for WooCommerce plugin <= 1.7.7 at WordPress leading to &yikes-the-content-toggle option update.
VulnCheck
yikesinc custom_product_tabs_for_woocommerce Improper Authentication
vulncheck·2022·CVSS 5.3
CVE-2022-28666 [MEDIUM] yikesinc custom_product_tabs_for_woocommerce Improper Authentication
yikesinc custom_product_tabs_for_woocommerce Improper Authentication
Broken Access Control vulnerability in YIKES Inc. Custom Product Tabs for WooCommerce plugin <= 1.7.7 at WordPress leading to &yikes-the-content-toggle option update.
Affected: yikesinc custom_product_tabs_for_woocommerce
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/yikes-inc-easy-custom-woocommerce-product-tabs/custom-product-tabs-for-woocommerce-177-subscriber-settings-update
No detection rules found.
Nuclei
Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update
nuclei·CVSS 5.3
CVE-2022-28666 [MEDIUM] Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update
Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update
YIKES Inc. Custom Product Tabs for WooCommerce plugin \u003C= 1.7.7 contains a broken access control caused by improper permission checks in &yikes-the-content-toggle option update, letting attackers modify content without authorization.
Template:
id: CVE-2022-28666
info:
name: Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update
author: Sourabh-Sahu
severity: medium
description: |
YIKES Inc. Custom Product Tabs for WooCommerce plugin \u003C= 1.7.7 contains a broken access control caused by improper permission checks in &yikes-the-content-toggle option update, letting attackers modify content without authorization.
impact: |
Attackers can modify product tab
No writeups or analysis indexed.
https://patchstack.com/database/vulnerability/yikes-inc-easy-custom-woocommerce-product-tabs/wordpress-custom-product-tabs-for-woocommerce-plugin-1-7-7-broken-access-control-vulnerability-leading-to-yikes-the-content-toggle-option-update?_s_id=cvehttps://patchstack.com/database/vulnerability/yikes-inc-easy-custom-woocommerce-product-tabs/wordpress-custom-product-tabs-for-woocommerce-plugin-1-7-7-broken-access-control-vulnerability-leading-to-yikes-the-content-toggle-option-update?_s_id=cve
2022-07-21
Published
Exploited in the wild