CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2179 – WooCommerce Order Status Change Notifier <= 1.1.0 - Subscriber+ Arbitrary Order Status Update
https://notcve.org/view.php?id=CVE-2023-2179
19 Apr 2023 — The WooCommerce Order Status Change Notifier WordPress plugin through 1.1.0 does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example The WooCommerce Order Status Change Notifier plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on an AJAX... • https://wpscan.com/vulnerability/fbc56973-4225-4f44-8c38-d488e57cd551 • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-30783 – WordPress Smart WooCommerce Search plugin <= 2.5.0 - Broken Access Control
https://notcve.org/view.php?id=CVE-2023-30783
18 Apr 2023 — Missing Authorization vulnerability in YummyWP Smart WooCommerce Search allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart WooCommerce Search: from n/a through 2.5.0. The Smart WooCommerce Search plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks on the duplicate() & remove() functions called via AJAX actions in versions up to, and including, 2.5.0. This makes it possible for authenticated attackers,... • https://patchstack.com/database/wordpress/plugin/smart-woocommerce-search/vulnerability/wordpress-smart-woocommerce-search-plugin-2-5-0-broken-access-control?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46858 – WordPress Product Specifications for Woocommerce Plugin <= 0.6.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-46858
28 Mar 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Amin A.Rezapour Product Specifications for Woocommerce plugin <= 0.6.0 versions. The Product Specifications for Woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the arbitrary query string parameters in versions up to, and including, 0.6.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they ... • https://patchstack.com/database/vulnerability/product-specifications/wordpress-product-specifications-for-woocommerce-plugin-0-6-0-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46864 – WordPress Woocommerce Custom Checkout Fields Editor With Drag & Drop Plugin <= 0.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-46864
28 Mar 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Umair Saleem Woocommerce Custom Checkout Fields Editor With Drag & Drop plugin <= 0.1 versions. The Woocommerce Custom Checkout Fields Editor With Drag & Drop plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w... • https://patchstack.com/database/vulnerability/woo-custom-checkout-fields/wordpress-woocommerce-custom-checkout-fields-editor-with-drag-drop-plugin-0-1-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46807 – WordPress Stock Sync for WooCommerce plugin <= 2.3.2 - Broken Access Control
https://notcve.org/view.php?id=CVE-2022-46807
22 Mar 2023 — Missing Authorization vulnerability in Lauri Karisola / WP Trio Stock Sync for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stock Sync for WooCommerce: from n/a through 2.3.2. The Stock Sync for WooCommerce plugin for WordPress is vulnerable to unauthorized use of AJAX actions due to a missing capability check on the functions check_api_access and view_last_response in versions up to, and including, 2.3.2. This makes it possible for authenticated att... • https://patchstack.com/database/wordpress/plugin/stock-sync-for-woocommerce/vulnerability/wordpress-stock-sync-for-woocommerce-plugin-2-3-2-broken-access-control-csrf?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22710 – WordPress Return and Warranty Management System for WooCommerce Plugin <= 1.2.3 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-22710
17 Mar 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in chilidevs Return and Warranty Management System for WooCommerce plugin <= 1.2.3 versions. The Return and Warranty Management System for WooCommerce plugin for WordPress is vulnerable to stored Cross-Site Scripting via an unknown parameter in versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute... • https://patchstack.com/database/vulnerability/wc-return-warrranty/wordpress-return-and-warranty-management-system-for-woocommerce-plugin-1-2-3-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46795 – WordPress Print Invoice & Delivery Notes for WooCommerce plugin <= 4.7.2 - CSRF Plugin Settings Reset vulnerability
https://notcve.org/view.php?id=CVE-2022-46795
13 Mar 2023 — Missing Authorization vulnerability in Tyche Softwares Print Invoice & Delivery Notes for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Print Invoice & Delivery Notes for WooCommerce: from n/a through 4.7.2. The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.7.2. This is due to missing or incorrect nonce validation on the ts_reset_tracking_setting func... • https://patchstack.com/database/wordpress/plugin/woocommerce-delivery-notes/vulnerability/wordpress-print-invoice-delivery-notes-for-woocommerce-plugin-4-7-2-csrf-plugin-settings-reset-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0865 – WooCommerce Multiple Customer Addresses & Shipping < 21.7 - Arbitrary Address Creation/Deletion/Access/Update via IDOR
https://notcve.org/view.php?id=CVE-2023-0865
27 Feb 2023 — The WooCommerce Multiple Customer Addresses & Shipping WordPress plugin before 21.7 does not ensure that the address to add/update/retrieve/delete and duplicate belong to the user making the request, or is from a high privilege users, allowing any authenticated users, such as subscriber to add/update/duplicate/delete as well as retrieve addresses of other users. The WooCommerce Multiple Customer Addresses & Shipping plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including... • https://wpscan.com/vulnerability/e39c0171-ed4a-4143-9a31-c407e3555eec • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45070 – WordPress Conditional Checkout Fields for WooCommerce plugin <= 1.2.3 - Broken Authentication vulnerability
https://notcve.org/view.php?id=CVE-2022-45070
24 Feb 2023 — Missing Authorization vulnerability in FmeAddons Conditional Checkout Fields for WooCommerce.This issue affects Conditional Checkout Fields for WooCommerce: from n/a through 1.2.3. Vulnerabilidad de autorización faltante en FmeAddons Conditional Checkout Fields para WooCommerce. Este problema afecta FmeAddons Conditional Checkout Fields para WooCommerce: desde n/a hasta 1.2.3. The Conditional Checkout Fields & Edit Checkout Fields for WooCommerce plugin for WordPress is vulnerable to unauthorized modificati... • https://patchstack.com/database/vulnerability/conditional-checkout-fields-for-woocommerce/wordpress-conditional-checkout-fields-for-woocommerce-plugin-1-2-1-broken-authentication-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0068 – Product GTIN (EAN, UPC, ISBN) for WooCommerce <= 1.1.1 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0068
13 Feb 2023 — The Product GTIN (EAN, UPC, ISBN) for WooCommerce WordPress plugin through 1.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Product GTIN (EAN, UPC, ISBN) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 1.1.1 du... • https://wpscan.com/vulnerability/4abd1454-380c-4c23-8474-d7da4b2f3b8e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •