CVSS: 4.3EPSS: %CPEs: 1EXPL: 0CVE-2022-46795 – Print Invoice & Delivery Notes for WooCommerce <= 4.7.2 - Cross-Site Request Forgery via ts_reset_tracking_setting
https://notcve.org/view.php?id=CVE-2022-46795
The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.7.2. This is due to missing or incorrect nonce validation on the ts_reset_tracking_setting function. This makes it possible for unauthenticated attackers to reset usage tracking via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0865 – WooCommerce Multiple Customer Addresses & Shipping < 21.7 - Arbitrary Address Creation/Deletion/Access/Update via IDOR
https://notcve.org/view.php?id=CVE-2023-0865
The WooCommerce Multiple Customer Addresses & Shipping WordPress plugin before 21.7 does not ensure that the address to add/update/retrieve/delete and duplicate belong to the user making the request, or is from a high privilege users, allowing any authenticated users, such as subscriber to add/update/duplicate/delete as well as retrieve addresses of other users. The WooCommerce Multiple Customer Addresses & Shipping plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 21.6. This is due to missing protections on the plugin's administrative functions. This makes it possible for subscriber-level attackers to create, delete, view, and update addresses of other users. • https://wpscan.com/vulnerability/e39c0171-ed4a-4143-9a31-c407e3555eec • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45070 – WordPress Conditional Checkout Fields for WooCommerce plugin <= 1.2.3 - Broken Authentication vulnerability
https://notcve.org/view.php?id=CVE-2022-45070
Missing Authorization vulnerability in FmeAddons Conditional Checkout Fields for WooCommerce.This issue affects Conditional Checkout Fields for WooCommerce: from n/a through 1.2.3. Vulnerabilidad de autorización faltante en FmeAddons Conditional Checkout Fields para WooCommerce. Este problema afecta FmeAddons Conditional Checkout Fields para WooCommerce: desde n/a hasta 1.2.3. The Conditional Checkout Fields & Edit Checkout Fields for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability check in versions up to, and including, 1.2.1. This makes it possible for unauthenticated attackers to perform unauthorized actions. • https://patchstack.com/database/vulnerability/conditional-checkout-fields-for-woocommerce/wordpress-conditional-checkout-fields-for-woocommerce-plugin-1-2-1-broken-authentication-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0068 – Product GTIN (EAN, UPC, ISBN) for WooCommerce <= 1.1.1 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0068
The Product GTIN (EAN, UPC, ISBN) for WooCommerce WordPress plugin through 1.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Product GTIN (EAN, UPC, ISBN) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/4abd1454-380c-4c23-8474-d7da4b2f3b8e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-25026 – PayPal Brasil para WooCommerce <= 1.4.2 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2023-25026
The PayPal Brasil para WooCommerce Plugin is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on multiple functions using the WooCommerce API. This makes it possible for unauthenticated attackers to process checkouts and billing agreements via a forged request granted they can trick another site user into performing an action such as clicking on a link. • CWE-352: Cross-Site Request Forgery (CSRF) •