CVE-2019-20891
https://notcve.org/view.php?id=CVE-2019-20891
WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php. WooCommerce versiones anteriores a 3.6.5, cuando maneja las importaciones CSV de productos, presenta un problema de tipo cross-site request forgery (CSRF) con un cross-site scripting (XSS) almacenado resultante (Un ataque de tipo XSS) por medio del archivo includes/admin/importers/class-wc-product-csv-importer-controller.php • https://blog.ripstech.com/2019/woocommerce-csrf-to-stored-xss https://raw.githubusercontent.com/woocommerce/woocommerce/master/CHANGELOG.txt • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2020-29156 – WooCommerce < 4.7.0 - Insecure Direct Object Reference via order_id Parameter
https://notcve.org/view.php?id=CVE-2020-29156
The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. El plugin WooCommerce versiones anteriores a 4.7.0 para WordPress, permite a atacantes remotos visualizar el estado de pedidos arbitrarios por medio del parámetro order_id en una acción fetch_order_status • https://github.com/Ko-kn3t/CVE-2020-29156 https://raw.githubusercontent.com/woocommerce/woocommerce/master/changelog.txt • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2019-9168 – WooCommerce <= 3.5.4 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-9168
WooCommerce before 3.5.5 allows XSS via a Photoswipe caption. WooCommerce, en versiones anteriores a la 3.5.5, permite Cross-Site Scripting (XSS) mediante una leyenda de Photoswipe. • https://woocommerce.wordpress.com/2019/02/20/woocommerce-3-5-5-security-fix-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •