CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35915 – WordPress WooCommerce Payments Plugin <= 5.9.0 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-35915
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 5.9.0. La neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo. Este problema afecta a WooPayments – Fully Integrated Solution Built and Supported by Woo: desde n/a hasta 5.9 .0. The WooCommerce Payments plugin for WordPress is vulnerable to SQL Injection via the ‘currency', 'currency_is', and 'currency_is_not' parameters in versions up to, and including, 5.9.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with shop manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/woocommerce-payments/wordpress-woocommerce-payments-plugin-5-9-0-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35876 – WordPress WooCommerce Square Plugin <= 3.8.1 is vulnerable to Insecure Direct Object References (IDOR)
https://notcve.org/view.php?id=CVE-2023-35876
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Square.This issue affects WooCommerce Square: from n/a through 3.8.1. Vulnerabilidad de omisión de autorización a través de clave controlada por el usuario en WooCommerce WooCommerce Square. Este problema afecta a WooCommerce Square: desde n/a hasta 3.8.1. The WooCommerce Square plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 3.8.1. This makes it possible for authenticated attackers with contributor-level privileges to modify other user's orders. • https://patchstack.com/database/vulnerability/woocommerce-square/wordpress-woocommerce-square-plugin-3-8-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35914 – WordPress WooCommerce Subscriptions Plugin <= 5.1.2 is vulnerable to Insecure Direct Object References (IDOR)
https://notcve.org/view.php?id=CVE-2023-35914
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Woo Subscriptions.This issue affects Woo Subscriptions: from n/a through 5.1.2. Vulnerabilidad de omisión de autorización a través de clave controlada por el usuario en WooCommerce Woo Subscriptions. Este problema afecta a Woo Subscriptions: desde n/a hasta 5.1.2. The WooCommerce Subscriptions plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on an unknown unction in versions up to, and including, 5.1.2. This makes it possible for unauthenticated attackers to access or modify information by passing in a user-conttrolled parameter. • https://patchstack.com/database/vulnerability/woocommerce-subscriptions/wordpress-woocommerce-subscriptions-plugin-5-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35916 – WordPress WooCommerce Payments Plugin <= 5.9.0 is vulnerable to Insecure Direct Object References (IDOR)
https://notcve.org/view.php?id=CVE-2023-35916
Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 5.9.0. Vulnerabilidad de omisión de autorización a través de clave controlada por el usuario en Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo. Este problema afecta a WooPayments – Fully Integrated Solution Built and Supported by Woo: desde n/a hasta 5.9.0. The WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the redirect_pay_for_order_to_update_payment_method function in versions up to, and including, 5.9.0. This makes it possible for unauthenticated attackers to change payment information for other users' orders. • https://patchstack.com/database/vulnerability/woocommerce-payments/wordpress-woocommerce-payments-plugin-5-9-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-125104 – VaultPress Plugin MailPoet Plugin class.vaultpress-hotfixes.php protect_aioseo_ajax unrestricted upload
https://notcve.org/view.php?id=CVE-2014-125104
A vulnerability was found in VaultPress Plugin up to 1.6.0 on WordPress. It has been declared as critical. Affected by this vulnerability is the function protect_aioseo_ajax of the file class.vaultpress-hotfixes.php of the component MailPoet Plugin. The manipulation leads to unrestricted upload. The attack can be launched remotely. • https://github.com/wp-plugins/vaultpress/commit/e3b92b14edca6291c5f998d54c90cbe98a1fb0e3 https://github.com/wp-plugins/vaultpress/releases/tag/1.6.1 https://vuldb.com/?ctiid.230263 https://vuldb.com/?id.230263 • CWE-434: Unrestricted Upload of File with Dangerous Type •