CVSS: 5.3EPSS: %CPEs: 1EXPL: 0CVE-2024-43323 – ReviewX – Multi-criteria Rating & Reviews for WooCommerce <= 1.6.28 - Insufficient Input Validation
https://notcve.org/view.php?id=CVE-2024-43323
The ReviewX – Multi-criteria Rating & Reviews for WooCommerce plugin for WordPress is vulnerable to invalid rating in all versions up to, and including, 1.6.28. This is due to insufficient input validation on the $rating value. This makes it possible for unauthenticated attackers to provide ratings with invalid data. • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3609 – ReviewX – Multi-criteria Rating & Reviews for WooCommerce <= 1.6.27 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-3609
The ReviewX – Multi-criteria Rating & Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the reviewx_remove_guest_image function in all versions up to, and including, 1.6.27. This makes it possible for authenticated attackers, with subscriber access and above, to delete attachments. El complemento para Wordpress ReviewX – Multi-criteria Rating & Reviews for WooCommerce es vulnerable a la eliminación no autorizada de datos debido a una falta de verificación de capacidad en la función reviewx_remove_guest_image en todas las versiones hasta la 1.6.27 incluída. Esto hace posible que atacantes autenticados, con acceso de suscriptor y superior, eliminen archivos adjuntos. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3086273%40reviewx%2Ftrunk&old=3054184%40reviewx%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/f8152adf-1ca9-4a19-b539-39e257ab94c8?source=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33921 – WordPress ReviewX plugin <= 1.6.21 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-33921
Broken Access Control vulnerability in ReviewX.This issue affects ReviewX: from n/a through 1.6.21. Vulnerabilidad de control de acceso roto en ReviewX. Este problema afecta a ReviewX: desde n/a hasta 1.6.21. The ReviewX plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the remote_post() function in versions up to, and including, 1.6.21. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform a post request. • https://patchstack.com/database/vulnerability/reviewx/wordpress-reviewx-plugin-1-6-21-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29812 – WordPress ReviewX plugin <= 1.6.22 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-29812
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ReviewX allows Stored XSS.This issue affects ReviewX: from n/a through 1.6.22. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('Cross-site Scripting') en ReviewX permite XSS almacenado. Este problema afecta a ReviewX: desde n/a hasta 1.6.22. The ReviewX plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.6.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/reviewx/wordpress-reviewx-plugin-1-6-22-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40670 – ReviewX <= 1.6.17 - Missing Authorization in rx_coupon_from_submit
https://notcve.org/view.php?id=CVE-2023-40670
The ReviewX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rx_coupon_from_submit function in versions up to, and including, 1.6.17. This makes it possible for authenticated attackers, with subscriber-level access and above, to update options. • CWE-862: Missing Authorization •