CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 0CVE-2024-10486 – Google for WooCommerce <= 2.8.6 - Information Disclosure via Publicly Accessible PHP Info File
https://notcve.org/view.php?id=CVE-2024-10486
18 Nov 2024 — The Google for WooCommerce plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.8.6. This is due to publicly accessible print_php_information.php file. This makes it possible for unauthenticated attackers to retrieve information about Webserver and PHP configuration, which can be used to aid other attacks. • https://plugins.trac.wordpress.org/browser/google-listings-and-ads/tags/2.8.6/vendor/googleads/google-ads-php/scripts/print_php_information.php • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51502 – WordPress WooCommerce Stripe Payment Gateway Plugin <= 7.6.1 is vulnerable to Insecure Direct Object References (IDOR)
https://notcve.org/view.php?id=CVE-2023-51502
27 Dec 2023 — Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.1. Vulnerabilidad de omisión de autorización a través de clave controlada por el usuario en WooCommerce WooCommerce Stripe Payment Gateway. Este problema afecta a WooCommerce Stripe Payment Gateway: desde n/a hasta 7.6.1. The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to Insecure Direct Object R... • https://patchstack.com/database/vulnerability/woocommerce-gateway-stripe/wordpress-woocommerce-stripe-gateway-plugin-7-6-1-unauthenticated-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2023-47777 – WordPress WooCommerce and WooCommerce Blocks plugins - Auth. Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2023-47777
15 Nov 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks allows Stored XSS.This issue affects WooCommerce: from n/a through 8.1.1; WooCommerce Blocks: from n/a through 11.1.1. Neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('Scripting entre sitios') en Automattic WooCommerce, Automattic WooCommerce Blocks permite XSS almacenado. Este problema afecta a WooCommerce... • https://patchstack.com/articles/authenticated-stored-xss-in-woocommerce-and-jetpack-plugin?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47787 – WordPress WooCommerce Bookings Plugin <= 2.0.3 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-47787
14 Nov 2023 — Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 2.0.3. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en WooCommerce WooCommerce Bookings. Este problema afecta a WooCommerce Bookings: desde n/a hasta 2.0.3. The WooCommerce Bookings plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.3. This is due to missing or incorrect nonce validation on one of its function... • https://patchstack.com/database/vulnerability/woocommerce-bookings/wordpress-woocommerce-bookings-plugin-2-0-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37871 – WordPress WooCommerce GoCardless Gateway Plugin <= 2.5.6 is vulnerable to Insecure Direct Object References (IDOR)
https://notcve.org/view.php?id=CVE-2023-37871
10 Jul 2023 — Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6. Vulnerabilidad de omisión de autorización a través de clave controlada por el usuario en WooCommerce GoCardless. Este problema afecta a GoCardless: desde n/a hasta 2.5.6. The WooCommerce GoCardless Gateway plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.5.6. This is due to missing validation on a user contro... • https://patchstack.com/database/vulnerability/woocommerce-gateway-gocardless/wordpress-woocommerce-gocardless-gateway-plugin-2-5-6-unauthenticated-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35876 – WordPress WooCommerce Square Plugin <= 3.8.1 is vulnerable to Insecure Direct Object References (IDOR)
https://notcve.org/view.php?id=CVE-2023-35876
19 Jun 2023 — Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Square.This issue affects WooCommerce Square: from n/a through 3.8.1. Vulnerabilidad de omisión de autorización a través de clave controlada por el usuario en WooCommerce WooCommerce Square. Este problema afecta a WooCommerce Square: desde n/a hasta 3.8.1. The WooCommerce Square plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versio... • https://patchstack.com/database/vulnerability/woocommerce-square/wordpress-woocommerce-square-plugin-3-8-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35914 – WordPress WooCommerce Subscriptions Plugin <= 5.1.2 is vulnerable to Insecure Direct Object References (IDOR)
https://notcve.org/view.php?id=CVE-2023-35914
19 Jun 2023 — Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Woo Subscriptions.This issue affects Woo Subscriptions: from n/a through 5.1.2. Vulnerabilidad de omisión de autorización a través de clave controlada por el usuario en WooCommerce Woo Subscriptions. Este problema afecta a Woo Subscriptions: desde n/a hasta 5.1.2. The WooCommerce Subscriptions plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on an unknown unction in versions... • https://patchstack.com/database/vulnerability/woocommerce-subscriptions/wordpress-woocommerce-subscriptions-plugin-5-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32747 – WordPress WooCommerce Bookings Plugin <= 1.15.78 is vulnerable to Insecure Direct Object References (IDOR)
https://notcve.org/view.php?id=CVE-2023-32747
15 May 2023 — Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 1.15.78. Vulnerabilidad de omisión de autorización a través de clave controlada por el usuario en WooCommerce WooCommerce Bookings. Este problema afecta a WooCommerce Bookings: desde n/a hasta 1.15.78. The WooCommerce Bookings plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 1.15.78. This is due to... • https://patchstack.com/database/vulnerability/woocommerce-bookings/wordpress-woocommerce-bookings-plugin-1-15-78-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 93%CPEs: 9EXPL: 7CVE-2023-28121 – WooCommerce Payments 4.8.0 - 5.6.1 Authentication Bypass and Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-28121
23 Mar 2023 — An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated. The WooCommerce Payments plugin is vulnerable to authentication bypass via the determine_current_user_for_platform_checkout function. This allows unauthenticated attackers to impersonate arbitrar... • https://packetstorm.news/files/id/181061 • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 8.8EPSS: 91%CPEs: 31EXPL: 2CVE-2021-32789 – Arbitrary SQL (SQL injection) possible via the Store API component.
https://notcve.org/view.php?id=CVE-2021-32789
03 Jul 2021 — woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starti... • https://github.com/and0x00/CVE-2021-32789 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •