CVE-2021-24993: 
WordPress vulnerability analysis and mitigation

The Ultimate Product Catalog WordPress plugin before version 5.0.26 contains a security vulnerability identified as CVE-2021-24993. The vulnerability stems from missing authorization and CSRF (Cross-Site Request Forgery) checks in certain AJAX actions. This security flaw was discovered in January 2022 and affects the plugin's product management and settings configuration capabilities (WPScan).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. The security issue is classified under CWE-352 (Cross-Site Request Forgery) and CWE-862 (Missing Authorization). The vulnerability exists in the AJAX endpoints that handle product creation and plugin settings modifications (NVD).

The vulnerability allows any authenticated user, including those with minimal privileges such as subscribers, to perform unauthorized actions. Attackers can exploit this flaw to add arbitrary products to the catalog and modify plugin settings, including currency configurations, without proper authorization (WPScan).

The vulnerability has been patched in version 5.0.26 of the Ultimate Product Catalog plugin. Website administrators are strongly advised to update to this version or later to protect against potential exploitation (WordPress Changelog).