CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5641 – One Click Order Re-Order <= 1.1.9 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-5641
03 Jul 2024 — The One Click Order Re-Order plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ced_ocor_save_general_setting' function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the plugin settings, including adding stored cross-site scripting. El complemento One Click Order Re-Order para WordPress es vulnerable a modificaciones no autorizadas de datos debid... • https://plugins.trac.wordpress.org/browser/one-click-order-reorder/trunk/includes/class-basket-order.php#L489 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-862: Missing Authorization •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47646 – WordPress Recently viewed and most viewed products Plugin <= 1.1.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-47646
07 Nov 2023 — Auth. (Shop Manager+) Stored Cross-Site Scripting (XSS) vulnerability in CedCommerce Recently viewed and most viewed products plugin <= 1.1.1 versions. Vulnerabilidad de Cross-Site Scripting (XSS) autenticada (con permisos de gerente de tienda o superiores) almacenada en el complemento CedCommerce Recently Viewed and Most Viewed Products en versiones <= 1.1.1. The Recently viewed and most viewed products plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an unknown parameter in all ver... • https://patchstack.com/database/vulnerability/recently-viewed-and-most-viewed-products/wordpress-recently-viewed-and-most-viewed-products-plugin-1-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4298 – Wholesale Market < 2.2.1 - Unauthenticated Arbitrary File Download
https://notcve.org/view.php?id=CVE-2022-4298
12 Dec 2022 — The Wholesale Market WordPress plugin before 2.2.1 does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server. El complemento Wholesale Market de WordPress anterior a 2.2.1 no tiene verificación de autorización y tampoco valida la entrada del usuario utilizada para generar la ruta del sistema, lo que permite a atacantes no autenticados descargar archivos arbitrarios desde el servidor. ... • https://wpscan.com/vulnerability/7485ad23-6ea4-4018-88b1-174312a0a478 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4109 – Wholesale Market for WooCommerce < 2.0.0 - Admin+ Arbitrary Log Download
https://notcve.org/view.php?id=CVE-2022-4109
12 Dec 2022 — The Wholesale Market for WooCommerce WordPress plugin before 2.0.0 does not validate user input against path traversal attacks, allowing high privilege users such as admin to download arbitrary logs from the server even when they should not be able to (for example in multisite) El complemento Wholesale Market for WooCommerce de WordPress anterior a 2.0.0 no valida la entrada del usuario contra ataques de recorrido de ruta, lo que permite a usuarios con privilegios elevados, como el administrador, descargar ... • https://wpscan.com/vulnerability/51e023de-189d-4557-9655-23f7ba58b670 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4106 – Wholesale Market for WooCommerce < 1.0.7 - Unauthenticated Arbitrary File Download
https://notcve.org/view.php?id=CVE-2022-4106
28 Nov 2022 — The Wholesale Market for WooCommerce WordPress plugin before 1.0.7 does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server. El complemento de WordPress Wholesale Market para WooCommerce anterior a 1.0.7 no tiene verificación de autorización y tampoco valida la entrada del usuario utilizada para generar la ruta del sistema, lo que permite a atacantes no autenticados descargar archivo... • https://wpscan.com/vulnerability/b60a0d3d-148f-4e9b-baee-7332890804ed • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-552: Files or Directories Accessible to External Parties •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4108 – Wholesale Market for WooCommerce < 1.0.8 - Admin+ Arbitrary File Download
https://notcve.org/view.php?id=CVE-2022-4108
28 Nov 2022 — The Wholesale Market for WooCommerce WordPress plugin before 1.0.8 does not validate user input used to generate system path, allowing high privilege users such as admin to download arbitrary file from the server even when they should not be able to (for example in multisite) El complemento de WordPress Wholesale Market para WooCommerce anterior a 1.0.8 no valida la entrada del usuario utilizada para generar la ruta del sistema, lo que permite a usuarios con privilegios elevados, como el administrador, desc... • https://wpscan.com/vulnerability/9d1770df-91f0-41e3-af0d-522ae4e62470 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4107 – SMSA Shipping for WooCommerce < 1.0.5 - Subscriber+ Arbitrary File Download
https://notcve.org/view.php?id=CVE-2022-4107
22 Nov 2022 — The SMSA Shipping for WooCommerce WordPress plugin before 1.0.5 does not have authorisation and proper CSRF checks, as well as does not validate the file to be downloaded, allowing any authenticated users, such as subscriber to download arbitrary file from the server El complemento de WordPress SMSA Shipping para WooCommerce anterior a 1.0.5 no tiene autorización ni verificaciones CSRF adecuadas, además de no validar el archivo que se descargará, lo que permite a cualquier usuario autenticado, como un suscr... • https://wpscan.com/vulnerability/0b432858-722c-4bda-aa95-ad48e2097302 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •