CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41623 – WordPress ALD - AliExpress Dropshipping and Fulfillment for WooCommerce premium plugin <= 1.1.0 - Sensitive Data Exposure vulnerability
https://notcve.org/view.php?id=CVE-2022-41623
Sensitive Data Exposure in Villatheme ALD - AliExpress Dropshipping and Fulfillment for WooCommerce premium plugin <= 1.1.0 on WordPress. Una Exposición de Datos Confidenciales en el plugin Villatheme ALD - AliExpress Dropshipping and Fulfillment for WooCommerce premium versiones anteriores a 1.1.0 incluyéndola en WordPress The AliExpress Dropshipping and Fulfillment for WooCommerce Premium plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 1.1.0. This could allow unauthenticated attackers to extract sensitive user or configuration data. • https://patchstack.com/database/vulnerability/woocommerce-alidropship/wordpress-ald-aliexpress-dropshipping-and-fulfillment-for-woocommerce-plugin-1-1-0-sensitive-data-exposure?_s_id=cve https://villatheme.com/extensions/aliexpress-dropshipping-and-fulfillment-for-woocommerce/#tab-changelog • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-202: Exposure of Sensitive Information Through Data Queries •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1037 – EXMAGE < 1.0.7 - Admin+ Blind SSRF
https://notcve.org/view.php?id=CVE-2022-1037
The EXMAGE WordPress plugin before 1.0.7 does to ensure that images added via URLs are external images, which could lead to a blind SSRF issue by using local URLs El plugin EXMAGE de WordPress versiones anteriores a 1.0.7, no asegura que las imágenes añadidas por medio de URLs sean imágenes externas, lo que podría conllevar un problema de tipo SSRF ciego al usar URLs locales • https://wpscan.com/vulnerability/bd8555bd-8086-41d0-a1f7-3557bc3af957 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25062 – Orders Tracking for WooCommerce < 1.1.10 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25062
The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 does not sanitise and escape the file_url before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting El plugin Orders Tracking for WooCommerce de WordPress versiones anteriores a 1.1.10, no sanea y escapa de la file_url antes de devolverla a una página de administración, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://plugins.trac.wordpress.org/changeset/2643807 https://wpscan.com/vulnerability/dc9a5d36-7453-46a8-a17f-712449d7987d • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-4379 – WooCommerce Multi Currency <= 2.1.17 - Missing Authorization
https://notcve.org/view.php?id=CVE-2021-4379
The WooCommerce Multi Currency plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wmc_bulk_fixed_price function in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to make changes to product prices. • https://blog.nintechnet.com/vulnerability-fixed-in-wordpress-woocommerce-multi-currency-plugin https://codecanyon.net/item/woocommerce-multi-currency/20948446 https://www.wordfence.com/threat-intel/vulnerabilities/id/e2318ae9-4115-442e-9293-a9251787c5f3?source=cve • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-4395 – Abandoned Cart Recovery for WooCommerce <= 1.0.4 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2021-4395
The Abandoned Cart Recovery for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the get_items() and extra_tablenav() functions. This makes it possible for unauthenticated attackers to perform read-only actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4 https://blo • CWE-352: Cross-Site Request Forgery (CSRF) •