CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40010 – WordPress HUSKY – Products Filter for WooCommerce (formerly WOOF) Plugin <= 1.3.4.2 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-40010
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in realmag777 HUSKY – Products Filter for WooCommerce Professional.This issue affects HUSKY – Products Filter for WooCommerce Professional: from n/a through 1.3.4.2. La neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ('Inyección SQL') en realmag777 HUSKY – Products Filter for WooCommerce Professional. Este problema afecta a HUSKY – Products Filter for WooCommerce Professional: desde n/a hasta 1.3.4.2. The HUSKY – Products Filter for WooCommerce (formerly WOOF) plugin for WordPress is vulnerable to generic SQL Injection via search terms in versions up to, and including, 1.3.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. • https://patchstack.com/database/vulnerability/woocommerce-products-filter/wordpress-husky-plugin-1-3-4-2-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-4489 – WOOF - Products Filter for WooCommerce < 1.3.2 - Admin+ PHP Object Injection
https://notcve.org/view.php?id=CVE-2022-4489
The HUSKY WordPress plugin before 1.3.2 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. The HUSKY plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.3.1 via deserialization of untrusted input in the get_all_options function. This allows authenticated attackers with administrator-level privileges to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • https://wpscan.com/vulnerability/067573f2-b1e6-49a9-8c5b-f91e3b9d722f • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-25085 – WOOF - Products Filter for WooCommerce < 1.2.6.3 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-25085
The WOOF WordPress plugin before 1.2.6.3 does not sanitise and escape the woof_redraw_elements before outputing back in an admin page, leading to a Reflected Cross-Site Scripting El plugin WOOF de WordPress versiones anteriores a 1.2.6.3, no sanea ni escapa del parámetro woof_redraw_elements antes de devolverlo a la página de administración, conllevando a un ataque de tipo Cross-Site Scripting Reflejado • https://plugins.trac.wordpress.org/changeset/2648751 https://wpscan.com/vulnerability/b7dd81c6-6af1-4976-b928-421ca69bfa90 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •