Description
WordPress Plugin YITH Advanced Refund System for WooCommerce is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently modify plugin options. WordPress Plugin YITH Advanced Refund System for WooCommerce version 1.0.10 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 1.0.12 or latest
References
https://blog.nintechnet.com/authenticated-settings-change-vulnerability-in-yit-plugin-framework/
https://plugins.svn.wordpress.org/yith-advanced-refund-system-for-woocommerce/trunk/readme.txt
Related Vulnerabilities
WordPress Plugin Meks Easy Social Share Cross-Site Scripting (1.2.7)
WordPress Plugin WP Fastest Cache Local File Inclusion (0.8.5.9)
WordPress Plugin Easy Comment Uploads 'upload.php' Arbitrary File Upload (0.61)
WordPress Plugin Dynamic Widgets Multiple Cross-Site Scripting Vulnerabilities (1.5.10)
WordPress Plugin Gallery-Photo Gallery and Images Gallery Unspecified Vulnerability (2.0.18)