CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37212 – WordPress AliExpress Dropshipping with AliNext Lite plugin <= 3.3.5 - CSRF to PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-37212
Cross-Site Request Forgery (CSRF) vulnerability in Ali2Woo Ali2Woo Lite.This issue affects Ali2Woo Lite: from n/a through 3.3.5. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Ali2Woo Ali2Woo Lite. Este problema afecta a Ali2Woo Lite: desde n/a hasta 3.3.5. The Ali2Woo Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.3. This is due to missing or incorrect nonce validation on a function. • https://patchstack.com/database/vulnerability/ali2woo-lite/wordpress-aliexpress-dropshipping-with-alinext-lite-plugin-3-3-5-csrf-to-php-object-injection-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37213 – WordPress AliExpress Dropshipping with AliNext Lite plugin <= 3.3.9 - CSRF to XSS vulnerability
https://notcve.org/view.php?id=CVE-2024-37213
Cross-Site Request Forgery (CSRF) vulnerability in Ali2Woo Team Ali2Woo Lite allows Cross-Site Scripting (XSS).This issue affects Ali2Woo Lite: from n/a through 3.3.9. The Ali2Woo Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/ali2woo-lite/wordpress-aliexpress-dropshipping-with-alinext-lite-plugin-3-3-5-csrf-to-xss-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37211 – WordPress AliExpress Dropshipping with AliNext Lite plugin <= 3.3.5 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-37211
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ali2Woo Team Ali2Woo Lite allows Reflected XSS.This issue affects Ali2Woo Lite: from n/a through 3.3.5. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en Ali2Woo Team Ali2Woo Lite permite el XSS reflejado. Este problema afecta a Ali2Woo Lite: desde n/a hasta 3.3.5. The Ali2Woo Lite plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.3.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/ali2woo-lite/wordpress-aliexpress-dropshipping-with-alinext-lite-plugin-3-3-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37214 – Ali2Woo Lite <= 3.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-37214
The Ali2Woo Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2381 – AliExpress Dropshipping with AliNext Lite <= 3.3.5 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-2381
The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_save_image function in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento AliExpress Dropshipping con AliNext Lite para WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta de validación del tipo de archivo en la función ajax_save_image en todas las versiones hasta la 3.3.5 incluida. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede hacer posible la ejecución remota de código. • https://plugins.trac.wordpress.org/browser/ali2woo-lite/trunk//includes/classes/controller/WooCommerceProductEditController.php#L108 https://www.wordfence.com/threat-intel/vulnerabilities/id/c3248327-6e10-420e-83cf-a23296eb2e6f?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •