CVE-2022-28666: 
WordPress vulnerability analysis and mitigation

A Broken Access Control vulnerability was discovered in YIKES Inc. Custom Product Tabs for WooCommerce plugin versions 1.7.7 and below. The vulnerability, identified as CVE-2022-28666, was disclosed on June 28, 2022, and allows unauthenticated users to update the 'Toggle thecontent filter' setting through an improperly secured REST endpoint ([Patchstack](https://patchstack.com/database/vulnerability/yikes-inc-easy-custom-woocommerce-product-tabs/wordpress-custom-product-tabs-for-woocommerce-plugin-1-7-7-broken-access-control-vulnerability-leading-to-yikes-the-content-toggle-option-update?s_id=cve), WPScan).

The vulnerability has a CVSS score of 5.3 (Medium) and is classified under CWE-287 (Improper Authentication). The issue stems from a REST endpoint that lacks proper authorization controls, specifically in the path '/wp-json/yikes/cpt/v1/settings'. Attackers can exploit this by sending a POST request with the parameter 'togglethecontent=false' to modify settings without authentication (WPScan).

The vulnerability allows unauthorized users to modify the plugin's content toggle settings, potentially affecting how product content is displayed on WooCommerce sites. This broken access control issue could lead to unauthorized configuration changes that affect the website's functionality (Patchstack).

The vulnerability was patched in version 1.7.8 of the Custom Product Tabs for WooCommerce plugin. Users are strongly advised to update to version 1.7.8 or later to resolve this security issue. For users unable to update immediately, implementing web application firewall rules to restrict access to the affected endpoint is recommended (Patchstack).