CVSS: 5.5EPSS: %CPEs: 1EXPL: 0CVE-2024-9170 – Booster for WooCommerce <= 7.2.3 - Authenticated (ShopManager+) Stored Cross-Site Scripting via wcj_product_meta Shortcode
https://notcve.org/view.php?id=CVE-2024-9170
The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wcj_product_meta shortcode in all versions up to, and including, 7.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with ShopManager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: %CPEs: 1EXPL: 0CVE-2024-10857 – Product Input Fields for WooCommerce <= 1.9 - Authenticated (Contributor+) Arbitrary File Read
https://notcve.org/view.php?id=CVE-2024-10857
The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.9 via the handle_downloads() function due to insufficient file path validation/sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. • CWE-35: Path Traversal: '.../ •
CVSS: 6.1EPSS: %CPEs: 1EXPL: 0CVE-2024-11418 – Additional Order Filters for WooCommerce <= 1.21 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-11418
The Additional Order Filters for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shipping_method_filter' parameter in all versions up to, and including, 1.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2024-10729 – Booking & Appointment Plugin for WooCommerce <= 6.9.0 - Authenticated (Subscriber+) Arbitrary Option Update
https://notcve.org/view.php?id=CVE-2024-10729
The Booking & Appointment Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_google_calendar_data' function in versions up to, and including, 6.9.0. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update the site options arbitrarily. • CWE-285: Improper Authorization •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52398 – WordPress CDI plugin <= 5.5.3 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-52398
Unrestricted Upload of File with Dangerous Type vulnerability in Halyra CDI.This issue affects CDI: from n/a through 5.5.3. The CDI – Collect and Deliver Interface for Woocommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 5.5.3. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/collect-and-deliver-interface-for-woocommerce/wordpress-cdi-plugin-5-5-3-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •