CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35915 – WordPress WooCommerce Payments Plugin <= 5.9.0 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-35915
20 Jun 2023 — The WooCommerce Payments plugin for WordPress is vulnerable to SQL Injection via the ‘currency', 'currency_is', and 'currency_is_not' parameters in versions up to, and including, 5.9.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://patchstack.com/database/vulnerability/woocommerce-payments/wordpress-woocommerce-payments-plugin-5-9-0-sql-injection-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35917 – WordPress WooCommerce PayPal Payments Plugin <= 2.0.4 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-35917
20 Jun 2023 — The WooCommerce PayPal Payments plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.4. • https://patchstack.com/database/vulnerability/woocommerce-paypal-payments/wordpress-woocommerce-paypal-payments-plugin-2-0-4-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2023-2834 – BookIt <= 2.3.7 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2023-2834
20 Jun 2023 — The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. ... WordPress BookIt plugin versions 2.3.7 and below suffer from an authentication bypass vulnerability. • https://www.wordfence.com/blog/2023/06/stylemixthemes-addresses-authentication-bypass-vulnerability-in-bookit-wordpress-plugin • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-306: Missing Authentication for Critical Function •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23795 – WordPress Form Builder Plugin <= 1.9.9.0 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-23795
19 Jun 2023 — The Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.9.9.0. • https://patchstack.com/database/vulnerability/contact-form-add/wordpress-form-builder-create-responsive-contact-forms-plugin-1-9-9-0-cross-site-request-forgery-csrf-leading-to-post-page-deletion-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2023-3076 – MStore API < 3.9.9 - Unauthenticated Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-3076
19 Jun 2023 — The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of their choice via their wholesale REST API endpoint. ... The MStore API plugin for WordPress is vulnerable to Privilege Escalation in versions up to, and including, 3.9.8 due to insufficient restriction on roles supplied during registration through the /register REST route. • https://github.com/im-hanzou/MSAPer • CWE-266: Incorrect Privilege Assignment CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 6%CPEs: 1EXPL: 1CVE-2023-3077 – MStore API < 3.9.8 - Unauthenticated Blind SQLi
https://notcve.org/view.php?id=CVE-2023-3077
19 Jun 2023 — The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. ... The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'product_id' parameter in versions up to, and including, 3.9.7 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. • https://wpscan.com/vulnerability/9480d0b5-97da-467d-98f6-71a32599a432 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1597 – tagDiv Cloud Library < 2.7 - Unauthenticated Arbitrary User Metadata Update to Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-1597
19 Jun 2023 — The tagDiv Cloud Library WordPress plugin before 2.7 does not have authorisation and CSRF in an AJAX action accessible to both unauthenticated and authenticated users, allowing unauthenticated users to change arbitrary user metadata, which could lead to privilege escalation by setting themselves as an admin of the blog. The tagDiv Cloud Library plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tdb_user_form_on_submit() function cal... • https://wpscan.com/vulnerability/4eafe111-8874-4560-83ff-394abe7a803b • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35879 – WordPress WooCommerce Product Vendors Plugin <= 2.1.78 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-35879
19 Jun 2023 — The WooCommerce Product Vendors plugin for WordPress is vulnerable to SQL Injection via an unknown parameter in versions up to, and including, 2.1.78 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://patchstack.com/database/vulnerability/woocommerce-product-vendors/wordpress-woocommerce-product-vendors-plugin-2-1-78-shop-manager-sql-injection-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35880 – WordPress WooCommerce Brands Plugin <= 1.6.49 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-35880
19 Jun 2023 — The WooCommerce Brands plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.49. • https://patchstack.com/database/vulnerability/woocommerce-brands/wordpress-woocommerce-brands-plugin-1-6-49-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3277 – MStore API <= 4.10.7 - Unauthorized Account Access and Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-3277
19 Jun 2023 — The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. ... El complemento API de MStore para WordPress es vulnerable al acceso no auto... • https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L821 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •