CVE-2024-43132 – WordPress Docket (WooCommerce Collections / Wishlist / Watchlist) plugin < 1.7.0 - Unauthenticated SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-43132
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPWeb Elite Docket (WooCommerce Collections / Wishlist / Watchlist) allows SQL Injection.This issue affects Docket (WooCommerce Collections / Wishlist / Watchlist): from n/a before 1.7.0. The Docket (WooCommerce Collections / Wishlist / Watchlist) plugin for WordPress is vulnerable to SQL Injection in versions up to 1.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/woocommerce-collections/wordpress-docket-woocommerce-collections-wishlist-watchlist-plugin-1-6-6-unauthenticated-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2024-43131 – WordPress Docket (WooCommerce Collections / Wishlist / Watchlist) plugin < 1.7.0 - Unauthenticated Arbitrary Post/Page Deletion vulnerability
https://notcve.org/view.php?id=CVE-2024-43131
Incorrect Authorization vulnerability in WPWeb Docket (WooCommerce Collections / Wishlist / Watchlist) allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Docket (WooCommerce Collections / Wishlist / Watchlist): from n/a before 1.7.0. The Docket (WooCommerce Collections / Wishlist / Watchlist) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 1.7.0 (exclusive). This makes it possible for unauthenticated attackers to delete arbitrary pages and posts. • https://patchstack.com/database/vulnerability/woocommerce-collections/wordpress-docket-woocommerce-collections-wishlist-watchlist-plugin-1-6-6-unauthenticated-arbitrary-post-page-deletion-vulnerability?_s_id=cve • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVE-2024-43127 – WordPress Products, Order & Customers Export for WooCommerce plugin <= 2.0.11 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-43127
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPFactory Products, Order & Customers Export for WooCommerce allows Reflected XSS.This issue affects Products, Order & Customers Export for WooCommerce: from n/a through 2.0.11. The Products, Order & Customers Export for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'alg_export_filter_all_columns' parameter in versions up to, and including, 2.0.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/export-woocommerce/wordpress-products-order-customers-export-for-woocommerce-plugin-2-0-11-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-43121 – WordPress HUSKY plugin <= 1.3.6.1 - Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2024-43121
Improper Privilege Management vulnerability in realmag777 HUSKY allows Privilege Escalation.This issue affects HUSKY: from n/a through 1.3.6.1. The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to missing option validation on the do_import_data() function in all versions up to, and including, 1.3.6.1. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. • https://patchstack.com/database/vulnerability/woocommerce-products-filter/wordpress-husky-plugin-1-3-6-1-privilege-escalation-vulnerability?_s_id=cve • CWE-20: Improper Input Validation CWE-269: Improper Privilege Management •
CVE-2024-39650 – WordPress WooCommerce PDF Vouchers plugin < 4.9.5 - Unauthenticated Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2024-39650
Missing Authorization vulnerability in WPWeb Elite WooCommerce PDF Vouchers allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WooCommerce PDF Vouchers: from n/a through 4.9.4. The WooCommerce - PDF Vouchers plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like 'woo_vou_trigger_upgrades', 'woo_vou_admin_run_v430_udater_script', 'woo_vou_activate_license', 'woo_vou_generate_system_log' and many more in all versions up to, and including 4.9.4. This makes it possible for unauthenticated attackers to perform several actions that should only be performed by admins. • https://patchstack.com/database/vulnerability/woocommerce-pdf-vouchers/wordpress-woocommerce-pdf-vouchers-plugin-4-9-3-unauthenticated-multiple-vulnerabilities?_s_id=cve • CWE-862: Missing Authorization •