CVE-2021-4337

Name: CVE-2021-4337
Creator: NVD / NIST
Published: 2023-06-07T13:15:09.437+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10EPSS 1.29%

Last modified Jun 17, 2026

CVE-2021-4337 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Sixteen XforWooCommerce Add-On Plugins for WordPress are vulnerable to authorization bypass due to a missing capability check on the wp_ajax_svx_ajax_factory function in various versions listed below. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to read, edit, or delete WordPress settings, plugin settings, and to arbitrarily list all users on a WordPress website. EPSS estimates a 1.29% chance of exploitation in the next 30 days.

Description

Sixteen XforWooCommerce Add-On Plugins for WordPress are vulnerable to authorization bypass due to a missing capability check on the wp_ajax_svx_ajax_factory function in various versions listed below. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to read, edit, or delete WordPress settings, plugin settings, and to arbitrarily list all users on a WordPress website. The plugins impacted are: Product Filter for WooCommerce < 8.2.0, Improved Product Options for WooCommerce < 5.3.0, Improved Sale Badges for WooCommerce < 4.4.0, Share, Print and PDF Products for WooCommerce < 2.8.0, Product Loops for WooCommerce < 1.7.0, XforWooCommerce < 1.7.0, Package Quantity Discount < 1.2.0, Price Commander for WooCommerce < 1.3.0, Comment and Review Spam Control for WooCommerce < 1.5.0, Add Product Tabs for WooCommerce < 1.5.0, Autopilot SEO for WooCommerce < 1.6.0, Floating Cart < 1.3.0, Live Search for WooCommerce < 2.1.0, Bulk Add to Cart for WooCommerce < 1.3.0, Live Product Editor for WooCommerce < 4.7.0, and Warranties and Returns for WooCommerce < 5.3.0.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.29%

66.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Xforwoocommerce	Add Product Tabs	< 1.5.0
Xforwoocommerce	Autopilot Seo	< 1.6.0
Xforwoocommerce	Bulk Add To Cart	< 1.3.0
Xforwoocommerce	Comment And Review Spam Control	< 1.5.0
Xforwoocommerce	Floating Cart	< 1.3.0
Xforwoocommerce	Improved Product Options	< 5.3.0
Xforwoocommerce	Improved Sale Badges	< 4.4.0
Xforwoocommerce	Live Product Editor	< 4.7.0
Xforwoocommerce	Live Search	< 2.1.0
Xforwoocommerce	Package Quantity	< 1.2.0
Xforwoocommerce	Price Commander	< 1.3.0
Xforwoocommerce	Product Filter	< 8.2.0
Xforwoocommerce	Product Loops	< 1.7.0
Xforwoocommerce	Share\, Print And Pdf Products	< 2.8.0
Xforwoocommerce	Warranties And Returns	< 5.3.0
Xforwoocommerce	Xforwoocommerce	< 1.7.0

References

https://blog.nintechnet.com/16-woocommerce-product-add-ons-plugins-fixed-vulnerabilities/Exploit, Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/05481984-7c18-4ec7-8d7c-831809c3e86b?source=cveThird Party Advisory
https://xforwoocommerce.com/blog/change-log/xforwoocommerce-1-7-0/Vendor Advisory
https://blog.nintechnet.com/16-woocommerce-product-add-ons-plugins-fixed-vulnerabilities/Exploit, Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/05481984-7c18-4ec7-8d7c-831809c3e86b?source=cveThird Party Advisory
https://xforwoocommerce.com/blog/change-log/xforwoocommerce-1-7-0/Vendor Advisory

Timeline

Published: Jun 7, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-4337?

How severe is CVE-2021-4337?

CVE-2021-4337 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 1.29% probability of exploitation in the next 30 days.

How do I fix CVE-2021-4337?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-4337?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST