CVE-2021-42367: 
WordPress vulnerability analysis and mitigation

The Variation Swatches for WooCommerce WordPress plugin was identified with a Stored Cross-Site Scripting vulnerability (CVE-2021-42367) affecting versions up to and including 2.1.1. The vulnerability was discovered and reported by Chloe Chamberland from Wordfence, with the public disclosure occurring on December 1, 2021 (WPScan).

The vulnerability exists in the ~/includes/class-menu-page.php file, specifically in the tawcvs_save_settings function. The security issue stems from missing authorization checks and CSRF protections in multiple AJAX actions including tawcvs_save_settings, update_attribute_type_setting, and update_product_attr_type. The vulnerability received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N from NVD, while Wordfence assigned it a slightly higher score of 6.4 (Medium) (NVD).

The vulnerability allows low-level authenticated users, such as subscribers, to inject arbitrary web scripts through the plugin's settings. This could lead to stored cross-site scripting attacks, potentially affecting site administrators and other users who access the affected areas of the WordPress installation (NVD).

The vulnerability was patched in version 2.1.2 of the Variation Swatches for WooCommerce plugin. Users are advised to update to this version or later to protect against this security issue (WPScan).