CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10486 – Google for WooCommerce <= 2.8.6 - Information Disclosure via Publicly Accessible PHP Info File
https://notcve.org/view.php?id=CVE-2024-10486
The Google for WooCommerce plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.8.6. This is due to publicly accessible print_php_information.php file. This makes it possible for unauthenticated attackers to retrieve information about Webserver and PHP configuration, which can be used to aid other attacks. • https://plugins.trac.wordpress.org/browser/google-listings-and-ads/tags/2.8.6/vendor/googleads/google-ads-php/scripts/print_php_information.php https://www.wordfence.com/threat-intel/vulnerabilities/id/64bc7d47-6b63-4fd9-85d4-82126f86308a?source=cve • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51502 – WordPress WooCommerce Stripe Payment Gateway Plugin <= 7.6.1 is vulnerable to Insecure Direct Object References (IDOR)
https://notcve.org/view.php?id=CVE-2023-51502
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.1. Vulnerabilidad de omisión de autorización a través de clave controlada por el usuario en WooCommerce WooCommerce Stripe Payment Gateway. Este problema afecta a WooCommerce Stripe Payment Gateway: desde n/a hasta 7.6.1. The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.6.1 via the update_payment_intent_ajax due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to make updates to payments that don't belong to their orders. • https://patchstack.com/database/vulnerability/woocommerce-gateway-stripe/wordpress-woocommerce-stripe-gateway-plugin-7-6-1-unauthenticated-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2023-47777 – WordPress WooCommerce and WooCommerce Blocks plugins - Auth. Cross-Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2023-47777
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks allows Stored XSS.This issue affects WooCommerce: from n/a through 8.1.1; WooCommerce Blocks: from n/a through 11.1.1. Neutralización inadecuada de la entrada durante la vulnerabilidad de generación de páginas web ('Scripting entre sitios') en Automattic WooCommerce, Automattic WooCommerce Blocks permite XSS almacenado. Este problema afecta a WooCommerce: desde n/a hasta 8.1.1; WooCommerce Blocks: desde n/a hasta 11.1.1. The WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a featured image 'alt' attribute in versions up to, and including, 8.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/articles/authenticated-stored-xss-in-woocommerce-and-jetpack-plugin?_s_id=cve https://patchstack.com/database/vulnerability/woo-gutenberg-products-block/wordpress-woocommerce-blocks-plugin-11-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-8-1-1-contributor-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47787 – WordPress WooCommerce Bookings Plugin <= 2.0.3 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-47787
Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 2.0.3. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en WooCommerce WooCommerce Bookings. Este problema afecta a WooCommerce Bookings: desde n/a hasta 2.0.3. The WooCommerce Bookings plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.3. This is due to missing or incorrect nonce validation on one of its functions. • https://patchstack.com/database/vulnerability/woocommerce-bookings/wordpress-woocommerce-bookings-plugin-2-0-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37871 – WordPress WooCommerce GoCardless Gateway Plugin <= 2.5.6 is vulnerable to Insecure Direct Object References (IDOR)
https://notcve.org/view.php?id=CVE-2023-37871
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6. Vulnerabilidad de omisión de autorización a través de clave controlada por el usuario en WooCommerce GoCardless. Este problema afecta a GoCardless: desde n/a hasta 2.5.6. The WooCommerce GoCardless Gateway plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.5.6. This is due to missing validation on a user controlled key. • https://patchstack.com/database/vulnerability/woocommerce-gateway-gocardless/wordpress-woocommerce-gocardless-gateway-plugin-2-5-6-unauthenticated-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •