The WooCommerce Product Attachment plugin for WordPress, up to version 2.1.8, is vulnerable to Cross-Site Request Forgery. This means that an attacker who can get a site administrator to perform an action, such as clicking a link, can update the plugin’s settings without being authenticated. This is because there is missing or incorrect nonce validation on multiple admin partial pages.