CVE-2024-52398 – WordPress CDI plugin <= 5.5.3 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-52398
Unrestricted Upload of File with Dangerous Type vulnerability in Halyra CDI.This issue affects CDI: from n/a through 5.5.3. The CDI – Collect and Deliver Interface for Woocommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 5.5.3. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/collect-and-deliver-interface-for-woocommerce/wordpress-cdi-plugin-5-5-3-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2022-1933 – CDI < 5.1.9 - Reflected Cross-Site-Scripting
https://notcve.org/view.php?id=CVE-2022-1933
The CDI WordPress plugin before 5.1.9 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting El plugin CDI de WordPress versiones anteriores a 5.1.9, no sanea y escapa de un parámetro antes de devolverlo en la respuesta de una acción AJAX (disponible tanto para usuarios no autenticados como autenticados), conllevando a un ataque de tipo Cross-Site Scripting Reflejado CDI – Collect and Deliver Interface for Woocommerce plugin for WordPress is vulnerable to Cross-Site Scripting via multiple parameters in version up to, and including, 5.1.9. This makes it possible for attackers to inject arbitrary web scripts that execute in a victim's browser. • https://wpscan.com/vulnerability/6cedb27f-6140-4cba-836f-63de98e521bf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •