CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-20891
https://notcve.org/view.php?id=CVE-2019-20891
WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php. WooCommerce versiones anteriores a 3.6.5, cuando maneja las importaciones CSV de productos, presenta un problema de tipo cross-site request forgery (CSRF) con un cross-site scripting (XSS) almacenado resultante (Un ataque de tipo XSS) por medio del archivo includes/admin/importers/class-wc-product-csv-importer-controller.php • https://blog.ripstech.com/2019/woocommerce-csrf-to-stored-xss https://raw.githubusercontent.com/woocommerce/woocommerce/master/CHANGELOG.txt • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2020-29156 – WooCommerce < 4.7.0 - Insecure Direct Object Reference via order_id Parameter
https://notcve.org/view.php?id=CVE-2020-29156
The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. El plugin WooCommerce versiones anteriores a 4.7.0 para WordPress, permite a atacantes remotos visualizar el estado de pedidos arbitrarios por medio del parámetro order_id en una acción fetch_order_status • https://github.com/Ko-kn3t/CVE-2020-29156 https://raw.githubusercontent.com/woocommerce/woocommerce/master/changelog.txt • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-9168 – WooCommerce <= 3.5.4 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-9168
WooCommerce before 3.5.5 allows XSS via a Photoswipe caption. WooCommerce, en versiones anteriores a la 3.5.5, permite Cross-Site Scripting (XSS) mediante una leyenda de Photoswipe. • https://woocommerce.wordpress.com/2019/02/20/woocommerce-3-5-5-security-fix-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-20714 – WooCommerce <= 3.4.5 - WooCommerce File Deletion
https://notcve.org/view.php?id=CVE-2018-20714
The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a shop manager can escalate privileges to admin. El sistema de registros del plugin Automattic WooCommerce, en versiones anteriores a la 3.4.6 para WordPress, es vulnerable a la eliminación de archivos. Esto permite la eliminación de woocommerce.php, lo que conduce a que no existan ciertas comprobaciones de privilegios y, por lo tanto, un gerente de tienda puede escalar privilegios a administrador. • https://blog.ripstech.com/2018/wordpress-design-flaw-leads-to-woocommerce-rce • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •