CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10614 – Customer Reviews for WooCommerce <= 5.61.0 - Missing Authorization to Authenticated (Subscriber+) Import Cancellation
https://notcve.org/view.php?id=CVE-2024-10614
15 Nov 2024 — The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the cancel_import() function in all versions up to, and including, 5.61.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel and import or check on the status. • https://plugins.trac.wordpress.org/changeset/3188169/customer-reviews-woocommerce/trunk/includes/import-export/class-cr-reviews-importer.php • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3731 – Customer Reviews for WooCommerce <= 5.47.0 - Reflected Cross-Site Scripting via 's'
https://notcve.org/view.php?id=CVE-2024-3731
18 Apr 2024 — The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 5.47.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. El complemento Customer Reviews for WooCommerce para WordPress es vulnerable a R... • https://plugins.trac.wordpress.org/changeset/3072688/customer-reviews-woocommerce/trunk/includes/reminders/class-cr-reminders-log-table.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3869 – Customer Reviews for WooCommerce <= 5.46.0 - Missing Authorization to Authenticated (Subscriber+) Coupon Search
https://notcve.org/view.php?id=CVE-2024-3869
15 Apr 2024 — The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'woocommerce_json_search_coupons' function . This makes it possible for attackers with subscriber level access to view coupon codes. El complemento Customer Reviews for WooCommerce para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificación de capacidad en la función 'woocommerce_json_search_coupons'. Esto hace posible que los... • https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/trunk/includes/settings/class-cr-settings-review-discount.php#L470 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3243 – Customer Reviews for WooCommerce <= 5.46.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending
https://notcve.org/view.php?id=CVE-2024-3243
15 Apr 2024 — The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 5.46.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to send arbitrary test emails. El complemento Customer Reviews for WooCommerce para WordPress es vulnerable al envío de correo electrónico no autorizado debido a una falta de verificación de capacidad en ... • https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/trunk/includes/settings/class-cr-settings-review-discount.php#L506 • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1044 – Customer Reviews for WooCommerce <= 5.38.10 - Improper Authorization via submit_review
https://notcve.org/view.php?id=CVE-2024-1044
06 Feb 2024 — The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_review' function in all versions up to, and including, 5.38.12. This makes it possible for unauthenticated attackers to submit reviews with arbitrary email addresses regardless of whether reviews are globally enabled. El complemento Customer Reviews for WooCommerce para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta... • https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustomer-reviews-woocommerce%2Ftags%2F5.38.12&old=3032310&new_path=%2Fcustomer-reviews-woocommerce%2Ftags%2F5.39.0&new=3032310&sfp_email=&sfph_mail= • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6979 – Customer Reviews for WooCommerce <= 5.38.9 - Authenticated (Author+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-6979
09 Jan 2024 — The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ivole_import_upload_csv AJAX action in all versions up to, and including, 5.38.9. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento Customer Reviews for WooCommerce para WordPress es vulnerable a cargas de archivos ... • https://drive.proton.me/urls/K4R2HDQBS0#iuTPm3NqZEdz • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0079 – Customer Reviews for WooCommerce < 5.17.0 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0079
24 Jan 2023 — The Customer Reviews for WooCommerce WordPress plugin before 5.17.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. El complemento de WordPress Customer Reviews for WooCommerce anterior a 5.17.0 no valida ni escapa algunos de sus atributos de shortcode antes de devolverlos a una página/publicación donde está incrust... • https://wpscan.com/vulnerability/fdaba4d1-950d-4512-95de-cd43fe9e73e5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0080 – Customer Reviews for WooCommerce < 5.16.0 - Contributor+ LFI
https://notcve.org/view.php?id=CVE-2023-0080
23 Jan 2023 — The Customer Reviews for WooCommerce WordPress plugin before 5.16.0 does not validate one of its shortcode attribute, which could allow users with a contributor role and above to include arbitrary files via a traversal attack. This could also allow them to read non PHP files and retrieve their content. RCE could also be achieved if the attacker manage to upload a malicious image containing PHP code, and then include it via the affected attribute, on a default WP install, authors could easily achieve that gi... • https://wpscan.com/vulnerability/6b0d63ed-e244-4f20-8f10-a6e0c7ccadd4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38134 – WordPress Customer Reviews for WooCommerce plugin <= 5.3.5 - Authenticated Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2022-38134
22 Sep 2022 — Authenticated (subscriber+) Broken Access Control vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress. Una vulnerabilidad de Control de Acceso Roto Autenticado (suscriptor+) en el plugin Customer Reviews for WooCommerce versiones anteriores a 5.3.5 incluyéndola en WordPress. The Customer Reviews for WooCommerce plugin contains several AJAX actions that are not protected by capability or nonce checks in versions up to, and including, 5.3.5. This allows authenticated users, such as ... • https://patchstack.com/database/vulnerability/customer-reviews-woocommerce/wordpress-customer-reviews-for-woocommerce-plugin-5-3-5-authenticated-broken-access-control-vulnerability/_s_id=cve • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38470 – WordPress Customer Reviews for WooCommerce plugin <= 5.3.5 - Cross-Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2022-38470
22 Sep 2022 — Cross-Site Request Forgery (CSRF) vulnerability in Customer Reviews for WooCommerce plugin <= 5.3.5 at WordPress. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en el plugin Customer Reviews for WooCommerce versiones anteriores a 5.3.5 incluyéndola en WordPress. The Customer Reviews for WooCommerce plugin contains several AJAX actions that are not protected by capability or nonce checks in versions up to, and including, 5.3.5. This allows unauthenticated attackers to perform actions that shoul... • https://patchstack.com/database/vulnerability/customer-reviews-woocommerce/wordpress-customer-reviews-for-woocommerce-plugin-5-3-5-cross-site-request-forgery-csrf-vulnerability/_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •