CVE-2018-11633 – Digital Goods < 2.2 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2018-11633
An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings. The function woo_checkout_settings_page in the file class-woo-checkout-for-digital-goods-admin.php doesn't do any check against wp-admin/admin-post.php Cross-site request forgery (CSRF) and user capabilities. Se ha descubierto un problema en el plugin Woo Checkout for Digital Goods 2.1 de MULTIDOTS para WordPress. Si se puede engañar a un usuario administrador para que visite una URL manipulada creada por un atacante (mediante phishing dirigido o ingeniería social), el atacante puede cambiar la configuración del plugin. • http://labs.threatpress.com/cross-site-request-forgery-csrf-in-woo-checkout-for-digital-goods-plugin https://wordpress.org/plugins/woo-checkout-for-digital-goods/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2018-11580 – Mass Pages/Posts Creator <= 1.2.2 - Missing Authorization
https://notcve.org/view.php?id=CVE-2018-11580
An issue was discovered in mass-pages-posts-creator.php in the MULTIDOTS Mass Pages/Posts Creator plugin 1.2.2 for WordPress. Any logged in user can launch Mass Pages/Posts creation with custom content. There is no nonce or user capability check, so anyone can launch a DoS attack against a site and create hundreds of thousands of posts with custom content. Se ha descubierto un problema en mass-pages-posts-creator.php en el plugin MULTIDOTS Mass Pages/Posts Creator 1.2.2 para WordPress. Cualquier usuario que haya iniciado sesión puede iniciar la creación Mass Pages/Posts con contenido personalizado. • http://labs.threatpress.com/mass-pages-posts-creator https://wordpress.org/plugins/mass-pagesposts-creator/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-862: Missing Authorization •
CVE-2018-11486 – Advance Search for WooCommerce <= 1.0.9 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-11486
An issue was discovered in the MULTIDOTS Advance Search for WooCommerce plugin 1.0.9 and earlier for WordPress. This plugin is vulnerable to a stored Cross-site scripting (XSS) vulnerability. A non-authenticated user can save the plugin settings and inject malicious JavaScript code in the Custom CSS textarea field, which will be loaded on every site page. Se ha descubierto un problema en el plugin Advance Search for WooCommerce en versiones 1.0.9 y anteriores de MULTIDOTS para WordPress. El plugin es vulnerable a Cross-Site Scripting (XSS) persistente. • http://labs.threatpress.com/stored-cross-site-scripting-xss-in-advance-search-for-woocommerce-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-11485 – Advance Search for WooCommerce < 1.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-11485
The MULTIDOTS WooCommerce Quick Reports plugin 1.0.6 and earlier for WordPress is vulnerable to Stored XSS. It allows an attacker to inject malicious JavaScript code on the WooCommerce -> Orders admin page. The attack is possible by modifying the "referral_site" cookie to have an XSS payload, and placing an order. El plugin WooCommerce Quick Reports en versiones 1.0.6 y anteriores de MULTIDOTS para WordPress es vulnerable a Cross-Site Scripting (XSS) persistente. Permite que un atacante inyecte código JavaScript en la página de administrador WooCommerce -> Orders. • http://labs.threatpress.com/stored-cross-site-scripting-xss-in-woocommerce-quick-reports-plugin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-11632 – Add Social Share Buttons for Whatsapp and Viber < 1.1 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2018-11632
An issue was discovered in the MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin 1.0.8 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings via wp-admin/admin-post.php CSRF. There's no nonce or capability check in the whatsapp_share_setting_add_update() function. Se ha descubierto un problema en el plugin Add Social Share Messenger Buttons Whatsapp and Viber 1.0.8 de MULTIDOTS para WordPress. Si se puede engañar a un usuario administrador para que visite una URL manipulada creada por un atacante (mediante phishing dirigido o ingeniería social), el atacante puede cambiar la configuración del plugin mediante Cross-Site Request Forgery (CSRF) en wp-admin/admin-post.php. • http://labs.threatpress.com/cross-site-request-forgery-csrf-in-add-social-share-messenger-buttons-whatsapp-and-viber-plugin https://wordpress.org/plugins/add-social-share-buttons/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •