CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7656 – Image Hotspot by DevVN <= 1.2.5 - Authenticated (Author+) PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-7656
The Image Hotspot by DevVN plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.5 via deserialization of untrusted input in the 'devvn_ihotspot_shortcode_func' function. This makes it possible for authenticated attackers, with Author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • https://www.wordfence.com/threat-intel/vulnerabilities/id/624bdb9e-6c50-4a00-9a04-1a32c938d48b?source=cve https://plugins.trac.wordpress.org/browser/devvn-image-hotspot/trunk/admin/inc/add_shortcode_devvn_ihotspot.php#L16 https://plugins.trac.wordpress.org/changeset/3139899 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24885 – WordPress Woocommerce Vietnam Checkout Plugin <= 2.0.7 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2024-24885
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lê V?n To?n Woocommerce Vietnam Checkout allows Stored XSS.This issue affects Woocommerce Vietnam Checkout: from n/a through 2.0.7. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en Lê V?n To? • https://patchstack.com/database/vulnerability/woo-vietnam-checkout/wordpress-woocommerce-vietnam-checkout-plugin-2-0-7-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5325 – Woocommerce Vietnam Checkout < 2.0.6 - Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2023-5325
The Woocommerce Vietnam Checkout WordPress plugin before 2.0.6 does not escape the custom shipping phone field no the checkout form leading to XSS El complemento Woocommerce Vietnam Checkout de WordPress anterior a 2.0.6 no escapa del campo de teléfono de envío personalizado ni del formulario de pago que conduce a XSS The Woocommerce Vietnam Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom shipping phone number in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/e93841ef-e113-41d3-9fa1-b21af85bd812 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46843 – WordPress Woocommerce Vietnam Checkout Plugin <= 2.0.4 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2022-46843
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Le Van Toan Woocommerce Vietnam Checkout plugin <= 2.0.4 versions. The Woocommerce Vietnam Checkout plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘from’ and 'to' parameters in versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/woo-vietnam-checkout/wordpress-woocommerce-vietnam-checkout-plugin-2-0-4-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •