CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1470 – Ultimate WooCommerce CSV Importer <= 2.0 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-1470
02 Jun 2022 — The Ultimate WooCommerce CSV Importer WordPress plugin through 2.0 does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting El plugin Ultimate WooCommerce CSV Importer de WordPress versiones hasta 2.0, no sanea y escapa de los datos importados antes de devolverlos a la página, lo que conlleva a un Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/13bb796f-7a17-47c9-a46f-a1d6ca4b6b91 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1953 – Product Configurator for WooCommerce < 1.2.32 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2022-1953
01 Jun 2022 — The Product Configurator for WooCommerce WordPress plugin before 1.2.32 suffers from an arbitrary file deletion vulnerability via an AJAX action, accessible to unauthenticated users, which accepts user input that is being used in a path and passed to unlink() without validation first El plugin Product Configurator for WooCommerce de WordPress versiones anteriores a 1.2.32, sufre una vulnerabilidad de borrado arbitrario de archivos por medio de una acción AJAX, accesible a usuarios no autenticados, que acept... • https://wpscan.com/vulnerability/b66d6682-edbc-435f-a73a-dced32a32770 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 6%CPEs: 1EXPL: 1CVE-2022-0814 – Ubigeo de Peru < 3.6.4 - Unauthenticated SQLi
https://notcve.org/view.php?id=CVE-2022-0814
18 Apr 2022 — The Ubigeo de Perú para Woocommerce WordPress plugin before 3.6.4 does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections El plugin Ubigeo de Perú para Woocommerce de WordPress versiones anteriores a 3.6.4, no sanea y escapa apropiadamente de algunos parámetros antes de usarlos en sentencias SQL por medio de varias acciones AJAX, algunas de las cuales están disponibles... • https://wpscan.com/vulnerability/fd84dc08-0079-4fcf-81c3-a61d652e3269 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0775 – WooCommerce < 6.2.1 - Subscriber+ Arbitrary Comment Deletion
https://notcve.org/view.php?id=CVE-2022-0775
22 Feb 2022 — The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment El complemento WooCommerce WordPress anterior a 6.2.1 no tiene una verificación de autorización adecuada al eliminar reseñas, lo que podría permitir a cualquier usuario autenticado, como un suscriptor, eliminar comentarios arbitrarios. The WooCommerce plugin for WordPress is vulnerable to authorization bypass d... • https://developer.woocommerce.com/2022/02/22/woocommerce-6-2-1-security-fix • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24940 – Persian Woocommerce <= 5.8.0 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24940
15 Feb 2022 — The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue El plugin Persian Woocommerce de WordPress versiones hasta 5.8.0, no escapa el parámetro s antes de devolverlo en un atributo en el panel de administración, lo que podría conllevar un problema de tipo Cross-Site Scripting Reflejado • https://wpscan.com/vulnerability/1980c5ca-447d-4875-b542-9212cc7ff77f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24928 – Rearrange Woocommerce Products < 3.0.8 - Subscriber+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-24928
05 Jan 2022 — The Rearrange Woocommerce Products WordPress plugin before 3.0.8 does not have proper access controls in the save_all_order AJAX action, nor validation and escaping when inserting user data in SQL statement, leading to an SQL injection, and allowing any authenticated user, such as subscriber, to modify arbitrary post content (for example with an XSS payload), as well as exfiltrate any data by copying it to another post. El plugin Rearrange Woocommerce Products de WordPress versiones anteriores a 3.0.8, no p... • https://wpscan.com/vulnerability/3762a77c-b8c9-428f-877c-bbfd7958e7be • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-42367 – Variation Swatches for WooCommerce <= 2.1.1 Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-42367
01 Dec 2021 — The Variation Swatches for WooCommerce WordPress plugin is vulnerable to Stored Cross-Site Scripting via several parameters found in the ~/includes/class-menu-page.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.1.1. Due to missing authorization checks on the tawcvs_save_settings function, low-level authenticated users such as subscribers can exploit this vulnerability. El plugin Variation Swatches for WooCommerce de WordPress es vulnerable a un ataque de t... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2634227%40variation-swatches-for-woocommerce&new=2634227%40variation-swatches-for-woocommerce&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24846 – Ni WooCommerce Custom Order Status < 1.9.7 - Subscriber+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-24846
22 Nov 2021 — The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber La función get_query() del plugin Ni WooCommerce Custom Order Status de WordPress versiones anteriores a 1.9.7, usada por la acción AJAX niwoocos_ajax, disponible para... • https://wpscan.com/vulnerability/a1e7cd2b-8400-4c5d-8b47-a8ccd1e21675 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-42363 – Preview E-Mails for WooCommerce <= 1.6.8 Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-42363
18 Nov 2021 — The Preview E-Mails for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the search_order parameter found in the ~/views/form.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.6.8. El plugin Preview E-Mails for WooCommerce de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting Reflejado por medio del parámetro search_order encontrado en el archivo ~/views/form.php que permite a atacantes inyectar scripts web arbitr... • https://plugins.trac.wordpress.org/changeset/2625941/woo-preview-emails/trunk/views/form.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24938 – WooCommerce Currency Switcher < 1.3.7.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24938
08 Nov 2021 — The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape the key parameter of the woocs_update_profiles_data AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected cross-Site Scripting issue El plugin WOOCS de WordPress versiones anteriores a 1.3.7.1, no sanea ni escapa del parámetro key de la acción AJAX woocs_update_profiles_data (disponible para cualquier usuario autenticado) antes de devolverlo a la respuesta, conllevando a un pr... • https://wpscan.com/vulnerability/df8a6f2c-e075-45d5-9262-b4eb63c9351e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •