CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5259 – MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution <= 4.1.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via hover_animation Parameter
https://notcve.org/view.php?id=CVE-2024-5259
The MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hover_animation’ parameter in all versions up to, and including, 4.1.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del parámetro 'hover_animation' en todas las versiones hasta la 4.1.11 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de Colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/browser/dc-woocommerce-multi-vendor/trunk/packages/mvx-elementor/widgets/class-mvx-widget-storesocial.php#L150 https://plugins.trac.wordpress.org/changeset/3097002 https://wordpress.org/plugins/dc-woocommerce-multi-vendor/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/59a349f2-048d-49a5-92ea-c19f1d1cd45e?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31304 – WordPress MultiVendorX Marketplace <= 4.1.3 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-31304
Missing Authorization vulnerability in MultiVendorX WC Marketplace.This issue affects WC Marketplace: from n/a through 4.1.3. Vulnerabilidad de autorización faltante en MultiVendorX WC Marketplace. Este problema afecta a WC Marketplace: desde n/a hasta 4.1.3. The WC Marketplace plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action. • https://patchstack.com/database/vulnerability/dc-woocommerce-multi-vendor/wordpress-multivendorx-marketplace-4-1-3-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5348 – Product Catalog Enquiry for WooCommerce < 5.0.3 - Unauthenticated Stored XSS via Arbitrary Setting Update
https://notcve.org/view.php?id=CVE-2023-5348
The Product Catalog Mode For WooCommerce WordPress plugin before 5.0.3 does not properly authorize settings updates or escape settings values, leading to stored XSS by unauthenticated users. El complemento Product Catalog Mode For WooCommerce de WordPress anterior a 5.0.3 no autoriza adecuadamente las actualizaciones de configuración ni escapa de los valores de configuración, lo que lleva a que usuarios no autenticados puedan llevar a cabo ataques XSS almacenados. The Product Catalog Mode For WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_hover_background_color' parameter in all versions up to, and including, 5.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/b37b09c1-1b53-471c-9b10-7d2d05ae11f1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37972 – WordPress WooCommerce Product Stock Alert Plugin <= 2.0.1 is vulnerable to Sensitive Data Exposure
https://notcve.org/view.php?id=CVE-2023-37972
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in MultiVendorX Product Stock Manager & Notifier for WooCommerce.This issue affects Product Stock Manager & Notifier for WooCommerce: from n/a through 2.0.1. Exposición de información confidencial a una vulnerabilidad de actor no autorizado en MultiVendorX Product Stock Manager & Notifier para WooCommerce. Este problema afecta al Product Stock Manager & Notifier para WooCommerce: desde n/a hasta 2.0.1. The WooCommerce Product Stock Alert plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 2.0.1. This can allow attackers to extract information. • https://patchstack.com/database/vulnerability/woocommerce-product-stock-alert/wordpress-woocommerce-product-stock-alert-plugin-2-0-1-sensitive-data-exposure-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36741 – MultiVendorX – MultiVendor Marketplace Solution For WooCommerce <= 3.5.7 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2020-36741
The MultiVendorX plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.7. This is due to missing or incorrect nonce validation on the submit_comment() function. This makes it possible for unauthenticated attackers to submit comments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4 https://blo • CWE-352: Cross-Site Request Forgery (CSRF) •