CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25026 – WordPress PayPal Brasil para WooCommerce plugin <= 1.4.2 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-25026
06 Feb 2023 — Missing Authorization vulnerability in PayPal PayPal Brasil para WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PayPal Brasil para WooCommerce: from n/a through 1.4.2. The PayPal Brasil para WooCommerce Plugin is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on multiple functions using the WooCommerce API. This makes it possible for unauthenticated attackers to pro... • https://patchstack.com/database/wordpress/plugin/paypal-brasil-para-woocommerce/vulnerability/wordpress-paypal-brasil-para-woocommerce-plugin-1-4-2-broken-access-control?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23868 – WordPress Cost of Goods for WooCommerce plugin <= 2.8.6 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-23868
06 Feb 2023 — Missing Authorization vulnerability in WPFactory Cost of Goods for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cost of Goods for WooCommerce: from n/a through 2.8.6. The Cost of Goods for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_costs function in versions up to, and including, 2.8.6. This makes it possible for authenticated attackers, with contributor-level perm... • https://patchstack.com/database/wordpress/plugin/cost-of-goods-for-woocommerce/vulnerability/wordpress-cost-of-goods-for-woocommerce-plugin-2-8-6-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45813 – BeRocket Plugins <= (Various Versions) - Missing Authorization
https://notcve.org/view.php?id=CVE-2022-45813
13 Dec 2022 — Several BeRocket Plugins for WordPress are vulnerable to authorization bypass due to missing capability checks on functions corresponding to AJAX actions that are available to subscribers. This includes the close_notice, subscribe, disable_rate_notice, feature_request_send, get_plugin_error_ajax, close_notice, and test_key functions This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke those functions intended for administrator use. One of the functions i... • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4329 – Product list Widget for Woocommerce <= 1.0 - Reflected XSS
https://notcve.org/view.php?id=CVE-2022-4329
08 Dec 2022 — The Product list Widget for Woocommerce WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both unauthenticated and authenticated users (such as high privilege one like admin). El complemento Product list Widget for Woocommerce de WordPress hasta la versión 1.0 no sanitiza ni escapa un parámetro antes de devolverlo a la página, lo que genera un cross-site scripting reflejado que ... • https://wpscan.com/vulnerability/d7f2c1c1-75b7-4aec-8574-f38d506d064a • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-44630 – YITH plugins by YITHEMES <= (Various Versions) - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2022-44630
11 Nov 2022 — Several YITHEMES plugins for WordPress are vulnerable to Cross-Site Request Forgery. This is due to missing or incorrect nonce validation on the create_log_file function. This makes it possible for unauthenticated attackers to create an error or debug log file using the plugin, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. The function allows the user to specify the file name. Please note that the unpatched plugins from this developer ar... • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41656 – Account Manager for WooCommerce <= 2.1.1 - Missing Authorization
https://notcve.org/view.php?id=CVE-2022-41656
13 Oct 2022 — The Account Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check in versions up to, and including, 2.1.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to export sensitive information such as user id, first name, and last name of registered users. • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2555 – Yotpo Reviews for WooCommerce <= 2.0.4 - Arbitrary Settings Update via CSRF
https://notcve.org/view.php?id=CVE-2022-2555
01 Aug 2022 — The Yotpo Reviews for WooCommerce WordPress plugin through 2.0.4 lacks nonce check when updating its settings, which could allow attacker to make a logged in admin change them via a CSRF attack. El plugin Yotpo Reviews for WooCommerce de WordPress versiones hasta 2.0.4, carece de comprobación de nonce cuando es actualizada su configuración, lo que podría permitir a un atacante hacer que un administrador conectado los cambie por medio de un ataque de tipo CSRF. The Yotpo Reviews for WooCommerce plugin for Wo... • https://wpscan.com/vulnerability/7ec9e493-bc48-4a5d-8c7e-34beaba892ae • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30998 – WordPress Homepage Product Organizer for WooCommerce plugin <= 1.1 - Multiple Authenticated SQL Injection (SQLi) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-30998
19 Jul 2022 — Multiple Authenticated (subscriber or higher user role) SQL Injection (SQLi) vulnerabilities in WooPlugins.co's Homepage Product Organizer for WooCommerce plugin <= 1.1 at WordPress. Múltiples vulnerabilidades de Inyección SQL (SQLi) Autenticadas (rol de suscriptor o usuario superior) en el plugin Homepage Product Organizer for WooCommerce de WooPlugins.co versiones anteriores a 1.1 incluyéndola, en WordPress The Homepage Product Organizer for WooCommerce plugin for WordPress is vulnerable to SQL Injection ... • https://patchstack.com/database/vulnerability/homepage-product-organizer-for-woocommerce/wordpress-homepage-product-organizer-for-woocommerce-plugin-1-1-multiple-authenticated-sql-injection-sqli-vulnerabilities • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1933 – CDI < 5.1.9 - Reflected Cross-Site-Scripting
https://notcve.org/view.php?id=CVE-2022-1933
21 Jun 2022 — The CDI WordPress plugin before 5.1.9 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting El plugin CDI de WordPress versiones anteriores a 5.1.9, no sanea y escapa de un parámetro antes de devolverlo en la respuesta de una acción AJAX (disponible tanto para usuarios no autenticados como autenticados), conllevando a un ataque de tipo Cross-Site Scripting R... • https://wpscan.com/vulnerability/6cedb27f-6140-4cba-836f-63de98e521bf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2099 – WooCommerce < 6.6.0 - Admin+ Stored HTML Injection
https://notcve.org/view.php?id=CVE-2022-2099
20 Jun 2022 — The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles El plugin WooCommerce de WordPress versiones anteriores a 6.6.0 es vulnerable a la inyección de HTML almacenado debido a la falta de escape y sanitización en los títulos de la pasarela de pago The WooCommerce plugin for WordPress is vulnerable to Stored HTML Injection via payment gateway titles in versions up to 6.6.0 due to insufficient input sanitization... • https://wpscan.com/vulnerability/0316e5f3-3302-40e3-8ff4-be3423a3be7b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-116: Improper Encoding or Escaping of Output •