CVE-2024-1310 – WooCommerce < 8.6 - Contributor+ Private/Draft Products Access
https://notcve.org/view.php?id=CVE-2024-1310
The WooCommerce WordPress plugin before 8.6 does not prevent users with at least the contributor role from leaking products they shouldn't have access to. (e.g. private, draft and trashed products) El complemento WooCommerce WordPress anterior a 8.6 no impide que los usuarios con al menos el rol de colaborador filtren productos a los que no deberían tener acceso. (por ejemplo, productos privados, borradores y desechados) The WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to insufficient restrictions in the product shortcode in all versions up to, and including, 8.5.2. This makes it possible for authenticated attackers, with contributor-level access and above, to view private and draft products. • https://wpscan.com/vulnerability/a7735feb-876e-461c-9a56-ea6067faf277 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-52222 – WordPress WooCommerce Plugin <= 8.2.2 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-52222
Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Automattic WooCommerce. Este problema afecta a WooCommerce: desde n/a hasta 8.2.2. The WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.2.2. This is due to missing or incorrect nonce validation on a function. • https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-8-2-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2023-47777 – WordPress WooCommerce and WooCommerce Blocks plugins - Auth. Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2023-47777
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks allows Stored XSS.This issue affects WooCommerce: from n/a through 8.1.1; WooCommerce Blocks: from n/a through 11.1.1. Neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('Scripting entre sitios') en Automattic WooCommerce, Automattic WooCommerce Blocks permite XSS almacenado. Este problema afecta a WooCommerce: desde n/a hasta 8.1.1; WooCommerce Blocks: desde n/a hasta 11.1.1. The WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a featured image 'alt' attribute in versions up to, and including, 8.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/articles/authenticated-stored-xss-in-woocommerce-and-jetpack-plugin?_s_id=cve https://patchstack.com/database/vulnerability/woo-gutenberg-products-block/wordpress-woocommerce-blocks-plugin-11-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-8-1-1-contributor-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-25788 – WordPress Saphali Woocommerce Lite Plugin <= 1.8.13 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-25788
Cross-Site Request Forgery (CSRF) vulnerability in Saphali Saphali Woocommerce Lite plugin <= 1.8.13 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Saphali Saphali Woocommerce Lite en versiones <= 1.8.13. The Saphali Woocommerce Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.13. This is due to missing or incorrect nonce validation on the 'woocommerce_saphali_page_s_l' function. This makes it possible for unauthenticated attackers to modify or reset plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/saphali-woocommerce-lite/wordpress-saphali-woocommerce-lite-plugin-1-8-13-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2023-32575 – WordPress Product page shipping calculator for WooCommerce Plugin <= 1.3.25 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-32575
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PI Websolution Product page shipping calculator for WooCommerce plugin <= 1.3.25 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Almacenada en Product page shipping calculator for WooCommerce de PI Websolution que afecta a las versiones 1.3.25 e inferiores. Para explotar esta vulnerabilidad hace falta estar autenticado y tener permisos de administrador o superior. The Product page shipping calculator for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.3.25 due to insufficient input sanitization and output escaping. • https://patchstack.com/database/vulnerability/product-page-shipping-calculator-for-woocommerce/wordpress-product-page-shipping-calculator-for-woocommerce-plugin-1-3-25-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •