CVE-2021-4337: 
WordPress vulnerability analysis and mitigation

CVE-2021-4337 affects sixteen XforWooCommerce Add-On Plugins for WordPress, discovered and disclosed on September 7, 2021. The vulnerability stems from a missing capability check on the wpajaxsvxajaxfactory functionality, which affects multiple plugins including prdctfltr, improved-variable-product-attributes, improved-sale-badges, and several other XforWooCommerce add-ons (WPScan, NVD).

The vulnerability is characterized by missing authorization controls and CSRF checks in the svxajaxfactory AJAX action, which is accessible to authenticated users. The severity of this vulnerability is rated as High with a CVSS score of 8.8. The technical issue specifically relates to access control vulnerabilities, categorized under CWE-284 (WPScan, Wordfence).

The vulnerability allows any authenticated user, including those with low-privilege roles such as subscribers, to perform unauthorized actions including changing, viewing, or deleting arbitrary WordPress options, retrieving user lists, and importing, exporting, or updating the plugins' settings (WPScan).

The vulnerability has been fixed in multiple plugin versions: prdctfltr 8.2.0, improved-variable-product-attributes 5.3.0, improved-sale-badges 4.4.0, share-print-pdf-woocommerce 2.8.0, and several other affected plugins. Users are advised to update to these fixed versions to mitigate the vulnerability (XforWooCommerce).