CVE-2021-25000 – Booster for WooCommerce < 5.4.9 - Reflected Cross-Site Scripting in General Module
https://notcve.org/view.php?id=CVE-2021-25000
01 Dec 2021 — The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_delete_role parameter before outputting back in the admin dashboard when the General module is enabled, leading to a Reflected Cross-Site Scripting issue El plugin Booster for WooCommerce de WordPress versiones anteriores a 5.4.9, no sanea ni escapa del parámetro wcj_delete_role antes de devolverlo al panel de administración cuando el módulo General está habilitado, conllevando a un problema de tipo Cross-Site Scr... • https://wpscan.com/vulnerability/bc167b3a-24ee-4988-9934-189b6216ce40 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-34646 – Booster for WooCommerce <= 5.4.3 Authentication Bypass
https://notcve.org/view.php?id=CVE-2021-34646
24 Aug 2021 — Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generation weakness in the reset_and_mail_activation_link function found in the ~/includes/class-wcj-emails-verification.php file. This allows attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, ... • https://www.exploit-db.com/exploits/50299 • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-290: Authentication Bypass by Spoofing CWE-330: Use of Insufficiently Random Values •
CVE-2018-20966 – Booster for WooCommerce <= 3.7.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-20966
28 Jul 2018 — The woocommerce-jetpack plugin before 3.8.0 for WordPress has XSS in the Products Per Page feature. El plugin woocommerce-jetpack anterior a la versión3.8.0 para WordPress tiene XSS en la función Products Per Page. • https://github.com/parzel/CVE-2018-20966 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •