CVE-2024-10828 – Advanced Order Export For WooCommerce <= 3.5.5 - Unauthenticated PHP Object Injection via Order Details
https://notcve.org/view.php?id=CVE-2024-10828
The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.5 via deserialization of untrusted input during Order export when the "Try to convert serialized values" option is enabled. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://plugins.trac.wordpress.org/browser/woo-order-export-lite/trunk/classes/PHPExcel/Shared/XMLWriter.php#L83 https://plugins.trac.wordpress.org/browser/woo-order-export-lite/trunk/classes/core/trait-woe-core-extractor.php#L996 https://www.wordfence.com/threat-intel/vulnerabilities/id/a1c6eed6-7b3f-4b37-85f8-6613527daa54?source=cve • CWE-502: Deserialization of Untrusted Data •
CVE-2022-40128 – WordPress Advanced Order Export For WooCommerce plugin <= 3.3.2 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-40128
Cross-Site Request Forgery (CSRF) vulnerability in Advanced Order Export For WooCommerce plugin <= 3.3.2 on WordPress leading to export file download. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento Advanced Order Export For WooCommerce de WordPress en versiones <= 3.3.2 que conduce a la descarga del archivo de exportación. The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.3.2. This is due to missing or incorrect nonce validation on the export download functionality. This makes it possible for unauthenticated attackers to execute this code on behalf of an administrator, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/woo-order-export-lite/wordpress-advanced-order-export-for-woocommerce-plugin-3-3-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve https://wordpress.org/plugins/woo-order-export-lite • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2022-35275 – WordPress Advanced Order Export For WooCommerce plugin <= 3.3.1 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2022-35275
Authenticated (shop manager+) Reflected Cross-Site Scripting (XSS) vulnerability in AlgolPlus Advanced Order Export For WooCommerce plugin <= 3.3.1 at WordPress. Una vulnerabilidad de tipo Cross-Site Scripting (XSS) Reflejado Autenticado (administrador de tienda+) en el plugin AlgolPlus Advanced Order Export For WooCommerce versiones anteriores a 3.3.1 incluyéndola, en WordPress The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘'method' parameter in versions up to, and including, 3.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/woo-order-export-lite/wordpress-advanced-order-export-for-woocommerce-plugin-3-3-1-reflected-cross-site-scripting-xss-vulnerability/_s_id=cve https://wordpress.org/plugins/woo-order-export-lite • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-24169 – Advanced Order Export For WooCommerce < 3.1.8 - Reflected Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24169
This Advanced Order Export For WooCommerce WordPress plugin before 3.1.8 helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to reflected XSS. Este plugin de WordPress Advanced Order Export For WooCommerce versiones anteriores a 3.1.8, le ayuda a exportar fácilmente los datos de pedidos de WooCommerce. El parámetro tab en el Admin Panel es vulnerable a un ataque de tipo XSS reflejado WordPress Advanced Order Export For WooCommerce plugin version 3.1.7 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/50324 http://packetstormsecurity.com/files/164263/WordPress-Advanced-Order-Export-For-WooCommerce-3.1.7-Cross-Site-Scripting.html https://wpscan.com/vulnerability/09681a6c-57b8-4448-982a-fe8d28c87fc3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-27349 – Advanced Order Export for WooCommerce <= 3.1.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-27349
Advanced Order Export before 3.1.8 for WooCommerce allows XSS, a different vulnerability than CVE-2020-11727. Advanced Order Export versiones anteriores a 3.1.8, para WooCommerce permite un XSS, una vulnerabilidad diferente de CVE-2020-11727. • https://wordpress.org/plugins/woo-order-export-lite/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •