CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-14979
https://notcve.org/view.php?id=CVE-2019-14979
29 Aug 2019 — cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE: The plugin author states it is true that the amount can be manipulated in the PayPal payment flow. However, the amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On ... • https://gkaim.com/cve-2019-14979-vikas-chaudhary • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2019-14978 – WooCommerce PayU India <= 2.1.1 - Improper Input Validation
https://notcve.org/view.php?id=CVE-2019-14978
25 Aug 2019 — /payu/icpcheckout/ in the WooCommerce PayU India Payment Gateway plugin 2.1.1 for WordPress allows Parameter Tampering in the purchaseQuantity=1 parameter, as demonstrated by purchasing an item for lower than the intended price. El archivo /payu/icpcheckout/ en el plugin WooCommerce PayU India Payment Gateway versión 2.1.1 para WordPress, permite la Manipulación de Parámetros en el parámetro buyQuantity=1, como es demostrado por la compra de un artículo por un precio más bajo al previsto. • https://gkaim.com/cve-2019-14978-vikas-chaudhary • CWE-20: Improper Input Validation •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-14796 – Woocommerce Products Price Bulk Edit <= 2.0 - Cross-Site Scripting via show_products_page_limit parameter
https://notcve.org/view.php?id=CVE-2019-14796
17 May 2019 — The mq-woocommerce-products-price-bulk-edit (aka Woocommerce Products Price Bulk Edit) plugin 2.0 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=update_options show_products_page_limit parameter. El plugin mq-wooWordPresscommerce-products-price-bulk-edit (también se conoce como Woocommerce Products Price Bulk Edit) versión 2.0 para WordPress, permite un ataque de tipo XSS por medio del parámetro wp-admin/admin-ajax.php?action=update_options show_products_page_limit. The Woocommerce Products... • https://wordpress.org/plugins/mq-woocommerce-products-price-bulk-edit/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2019-7441 – WordPress Plugin PayPal Checkout Payment Gateway 1.6.8 - Parameter Tampering
https://notcve.org/view.php?id=CVE-2019-7441
20 Mar 2019 — cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.8 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE: The plugin author states it is true that the amount can be manipulated in the PayPal payment flow. However, the amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On H... • https://www.exploit-db.com/exploits/46632 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2019-18834 – WooCommerce Subscriptions < 2.6.3 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-18834
11 Mar 2019 — Persistent XSS in the WooCommerce Subscriptions plugin before 2.6.3 for WordPress allows remote attackers to execute arbitrary JavaScript because Billing Details are mishandled in WCS_Admin_Post_Types in class-wcs-admin-post-types.php. Una vulnerabilidad XSS persistente en el plugin WooCommerce Subscriptions versiones anteriores a 2.6.3 para WordPress, permite a atacantes remotos ejecutar JavaScript arbitrario porque los detalles de facturación son manejados inapropiadamente en la función WCS_Admin_Post_Typ... • https://woocommerce.com/products/woocommerce-subscriptions • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9168 – WooCommerce <= 3.5.4 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-9168
20 Feb 2019 — WooCommerce before 3.5.5 allows XSS via a Photoswipe caption. WooCommerce, en versiones anteriores a la 3.5.5, permite Cross-Site Scripting (XSS) mediante una leyenda de Photoswipe. • https://woocommerce.wordpress.com/2019/02/20/woocommerce-3-5-5-security-fix-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20714 – WooCommerce <= 3.4.5 - WooCommerce File Deletion
https://notcve.org/view.php?id=CVE-2018-20714
06 Nov 2018 — The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a shop manager can escalate privileges to admin. El sistema de registros del plugin Automattic WooCommerce, en versiones anteriores a la 3.4.6 para WordPress, es vulnerable a la eliminación de archivos. Esto permite la eliminación de woocommerce.php, lo que conduce ... • https://blog.ripstech.com/2018/wordpress-design-flaw-leads-to-woocommerce-rce • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 4%CPEs: 1EXPL: 0CVE-2018-8710 – WOOF - Products Filter for WooCommerce <= 1.1.9 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-8710
06 Mar 2018 — A remote code execution issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The plugin implemented a page redraw AJAX function accessible to anyone without any authentication. WordPress shortcode markup in the "shortcode" parameters would be evaluated. Normally unauthenticated users can't evaluate shortcodes as they are often sensitive. Se ha descubierto un problema de ejecución remota ... • https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-8711 – WOOF - Products Filter for WooCommerce <= 1.1.9 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2018-8711
06 Mar 2018 — A local file inclusion issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The vulnerability is due to the lack of args/input validation on render_html before allowing it to be called by extract(), a PHP built-in function. Because of this, the supplied args/input can be used to overwrite the $pagepath variable, which then could lead to a local file inclusion attack. Se ha descubierto un... • https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html • CWE-20: Improper Input Validation CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2017-20193 – Product Vendors <= 2.0.35 - Reflected Cross Site Scripting
https://notcve.org/view.php?id=CVE-2017-20193
22 Aug 2017 — The Product Vendors is vulnerable to Reflected Cross-Site Scripting via the 'vendor_description' parameter in versions up to, and including, 2.0.35 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Product Vendors son vulnerables a Cross-Site Scripting Reflejado a través del parámetro 'vendor_descripti... • https://hackerone.com/reports/253313 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •