CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29093 – WordPress Conditional extra fees for woocommerce Plugin <= 1.0.96 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-29093
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PI Websolution Conditional cart fee plugin <= 1.0.96 versions. The Conditional cart fee / Extra charge rule for WooCommerce extra fees plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.0.96 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers ,with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/conditional-extra-fees-for-woocommerce/wordpress-conditional-extra-fees-for-woocommerce-plugin-1-0-96-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28991 – WordPress Order date time for WooCommerce Plugin <= 3.0.19 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-28991
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PI Websolution Order date, Order pickup, Order date time, Pickup Location, delivery date for WooCommerce plugin <= 3.0.19 versions. The Order date time for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.0.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers ,with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/pi-woocommerce-order-date-time-and-type/wordpress-order-date-time-for-woocommerce-plugin-3-0-19-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28988 – WordPress Direct checkout, Add to cart redirect for Woocommerce Plugin <= 2.1.48 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-28988
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PI Websolution Direct checkout, Add to cart redirect, Quick purchase button, Buy now button, Quick View button for WooCommerce plugin <= 2.1.48 versions. The Direct checkout, Add to cart redirect for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings in versions up to, and including, 2.1.48 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/add-to-cart-direct-checkout-for-woocommerce/wordpress-direct-checkout-add-to-cart-redirect-for-woocommerce-plugin-2-1-48-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47154 – WordPress CSS JS Manager Plugin <= 2.4.49 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2022-47154
Cross-Site Request Forgery (CSRF) vulnerability in Pi Websolution CSS JS Manager, Async JavaScript, Defer Render Blocking CSS supports WooCommerce plugin <= 2.4.49 versions. The CSS JS Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.49. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to create, modify, delete, and retrieve plugin resources via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/css-js-manager/wordpress-css-js-manager-async-javascript-defer-render-blocking-css-supports-woocommerce-plugin-2-4-49-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-3603 – Export customers list CSV for WooCommerce < 2.0.69 - CSV Injection
https://notcve.org/view.php?id=CVE-2022-3603
The Export customers list csv for WooCommerce, WordPress users csv, export Guest customer list WordPress plugin before 2.0.69 does not validate data when outputting it back in a CSV file, which could lead to CSV injection. El complemento Exportar lista de clientes csv para WooCommerce, usuarios de WordPress csv, exportar lista de clientes invitados de WordPress antes de 2.0.69 no valida los datos cuando los devuelve a un archivo CSV, lo que podría provocar una inyección de CSV. The Export customers list csv plugin for WooCommerce is vulnerable to CSV Injection in versions up to, and including, 2.0.67. This allows high-level attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. • https://wpscan.com/vulnerability/376e2bc7-2eb9-4e0a-809c-1582940ebdc7 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •