CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25085 – WOOF - Products Filter for WooCommerce < 1.2.6.3 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25085
The WOOF WordPress plugin before 1.2.6.3 does not sanitise and escape the woof_redraw_elements before outputing back in an admin page, leading to a Reflected Cross-Site Scripting El plugin WOOF de WordPress versiones anteriores a 1.2.6.3, no sanea ni escapa del parámetro woof_redraw_elements antes de devolverlo a la página de administración, conllevando a un ataque de tipo Cross-Site Scripting Reflejado • https://plugins.trac.wordpress.org/changeset/2648751 https://wpscan.com/vulnerability/b7dd81c6-6af1-4976-b928-421ca69bfa90 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25043 – WOOCS < 1.3.7.3 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25043
The WOOCS WordPress plugin before 1.3.7.3 does not sanitise and escape the custom_prices parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue El plugin WOOCS de WordPress versiones anteriores a 1.3.7.3, no sanea ni escapa del parámetro custom_prices antes de devolverlo a la respuesta, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://plugins.trac.wordpress.org/changeset/2640621/woocommerce-currency-switcher https://wpscan.com/vulnerability/8601bd21-becf-4809-8c11-d053d1121eae • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24566 – WooCommerce Currency Switcher < 1.3.7 - Authenticated (Low Privilege) Local File Inclusion
https://notcve.org/view.php?id=CVE-2021-24566
The WooCommerce Currency Switcher FOX WordPress plugin before 1.3.7 was vulnerable to LFI attacks via the "woocs" shortcode. El complemento WooCommerce Currency Switcher FOX WordPress anterior a 1.3.7 era vulnerable a ataques LFI a través del código corto "woocs". The WooCommerce Currency Switcher plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.3.7 via the "woocs.php" file. This allows low-level authenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://jetpack.com/2021/07/22/severe-vulnerability-patched-in-woocommerce-currency-switcher https://wpscan.com/vulnerability/a0bc4b13-53fe-462d-8306-8915196d3a5a • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20781 – Meta Data Filter & Taxonomies Filter <= 1.2.7.2 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2021-20781
Cross-site request forgery (CSRF) vulnerability in WordPress Meta Data Filter & Taxonomies Filter versions prior to v.1.2.8 and versions prior to v.2.2.8 allows remote attackers to hijack the authentication of administrators via unspecified vectors. Una vulnerabilidad de tipo Cross-site request forgery (CSRF) en WordPress Meta Data Filter & Taxonomies Filter versiones anteriores a v.1.2.8 y versiones anteriores a v.2.2.8, permite a atacantes remotos secuestrar la autenticación de los administradores por medio de vectores no especificados The Meta Data Filter & Taxonomies Filter plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions versions prior to v.2.2.8. This is due to missing or incorrect nonce validation on the draw_settings_page() function. This makes it possible for unauthenticated attackers to inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://jvn.jp/en/jp/JVN48413554/index.html https://wp-filter.com https://wp-filter.com/update-v-2-2-8-v-1-2-8 • CWE-352: Cross-Site Request Forgery (CSRF) •