{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-2719", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-03-24T12:07:41.833Z", "datePublished": "2025-04-10T07:02:39.962Z", "dateUpdated": "2025-04-10T13:36:01.911Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-04-10T07:02:39.962Z"}, "affected": [{"vendor": "hasthemes", "product": "Swatchly \u2013 WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches)", "versions": [{"version": "1.2.8", "status": "affected", "lessThanOrEqual": "1.4.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Swatchly \u2013 WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in versions 1.2.8 to 1.4.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 1/true on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny access to legitimate users or be used to set some values to true, such as registration."}], "title": "Swatchly \u2013 WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches) 1.2.8 - 1.4.0 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39336115-5993-49e1-b810-80a712e8e42b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/swatchly/tags/1.2.8/includes/Admin/Notices.php#L59"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Kenneth Dunn"}], "timeline": [{"time": "2025-03-18T00:00:00.000+00:00", "lang": "en", "value": "Discovered"}, {"time": "2025-04-09T18:09:21.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-10T13:35:41.791126Z", "id": "CVE-2025-2719", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T13:36:01.911Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Swatchly \u2013 WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in versions 1.2.8 to 1.4.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 1/true on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny access to legitimate users or be used to set some values to true, such as registration."}, {"lang": "es", "value": "El complemento Swatchly \u2013 WooCommerce Variation Swatches for Products (atributos del producto: muestra de imagen, muestras de color, muestras de etiqueta) para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una verificaci\u00f3n de capacidad faltante en la funci\u00f3n ajax_dismiss en las versiones 1.2.8 a 1.4.0. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor y superior, actualicen los valores de las opciones a 1/verdadero en el sitio de WordPress. Esto se puede aprovechar para actualizar una opci\u00f3n que crear\u00eda un error en el sitio y negar\u00eda el acceso a usuarios leg\u00edtimos o se puede utilizar para establecer algunos valores como verdaderos, como el registro."}], "id": "CVE-2025-2719", "lastModified": "2025-04-11T15:39:52.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-04-10T07:15:41.493", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/swatchly/tags/1.2.8/includes/Admin/Notices.php#L59"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39336115-5993-49e1-b810-80a712e8e42b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}