CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46793 – WordPress Product Feed PRO for WooCommerce Plugin <= 12.4.4 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-46793
22 Mar 2023 — Cross-Site Request Forgery (CSRF) vulnerability in AdTribes.Io Product Feed PRO for WooCommerce plugin <= 12.4.4 versions. The Product Feed PRO for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 12.4.0. This is due to missing or incorrect nonce validation on the update_project function. This makes it possible for unauthenticated attackers to update projects via a forged request granted they can trick a site administrator into performing an acti... • https://patchstack.com/database/vulnerability/woo-product-feed-pro/wordpress-product-feed-pro-for-woocommerce-plugin-12-3-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0426 – Product Feed PRO for WooCommerce < 11.2.3 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0426
01 Feb 2022 — The Product Feed PRO for WooCommerce WordPress plugin before 11.2.3 does not escape the rowCount parameter before outputting it back in an attribute via the woosea_categories_dropdown AJAX action (available to any authenticated user), leading to a Reflected Cross-Site Scripting El plugin Product Feed PRO for WooCommerce de WordPress versiones anteriores a 11.2.3, no escapa el parámetro rowCount antes de devolverlo en un atributo por medio de la acción AJAX woosea_categories_dropdown (disponible para cualqui... • https://plugins.trac.wordpress.org/changeset/2670405 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24974 – Product Feed PRO for WooCommerce < 11.0.7 - Subscriber+ Settings Update to Stored XSS
https://notcve.org/view.php?id=CVE-2021-24974
23 Dec 2021 — The Product Feed PRO for WooCommerce WordPress plugin before 11.0.7 does not have authorisation and CSRF check in some of its AJAX actions, allowing any authenticated users to call then, which could lead to Stored Cross-Site Scripting issue (which will be triggered in the admin dashboard) due to the lack of escaping. El plugin Product Feed PRO for WooCommerce de WordPress versiones anteriores a 11.0.7, no dispone de autorización y comprobación CSRF en algunas de sus acciones AJAX, permitiendo que cualquier ... • https://wpscan.com/vulnerability/8ed549fe-7d27-4a7a-b226-c20252964b29 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •