CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5259 – MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution <= 4.1.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via hover_animation Parameter
https://notcve.org/view.php?id=CVE-2024-5259
The MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hover_animation’ parameter in all versions up to, and including, 4.1.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del parámetro 'hover_animation' en todas las versiones hasta la 4.1.11 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de Colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/trunk/packages/mvx-elementor/widgets/class-mvx-widget-storesocial.php#L150 https://plugins.trac.wordpress.org/changeset/3097002 https://wordpress.org/plugins/dc-woocommerce-multi-vendor/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/59a349f2-048d-49a5-92ea-c19f1d1cd45e?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31304 – WordPress MultiVendorX Marketplace <= 4.1.3 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-31304
Missing Authorization vulnerability in MultiVendorX WC Marketplace.This issue affects WC Marketplace: from n/a through 4.1.3. Vulnerabilidad de autorización faltante en MultiVendorX WC Marketplace. Este problema afecta a WC Marketplace: desde n/a hasta 4.1.3. The WC Marketplace plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action. • https://patchstack.com/database/vulnerability/dc-woocommerce-multi-vendor/wordpress-multivendorx-marketplace-4-1-3-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36741 – MultiVendorX – MultiVendor Marketplace Solution For WooCommerce <= 3.5.7 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2020-36741
The MultiVendorX plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.7. This is due to missing or incorrect nonce validation on the submit_comment() function. This makes it possible for unauthenticated attackers to submit comments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4 https://blo • CWE-352: Cross-Site Request Forgery (CSRF) •