CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6072 – WP eStore < 8.5.5 - Reflected XSS via $_SERVER['REQUEST_URI']
https://notcve.org/view.php?id=CVE-2024-6072
24 Jun 2024 — The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers El complemento wp-cart-for-digital-products de WordPress anterior a 8.5.5 no escapa del parámetro $_SERVER['REQUEST_URI'] antes de devolverlo en un atributo, lo que podría generar cross-site scripting reflejado en navegadores web antiguos. The WP eStore plugin for WordPress is vul... • https://wpscan.com/vulnerability/1d8a344b-37e9-41e8-9de0-c67b7ca8e21b • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6073 – WP eStore < 8.5.5 - Reflected XSS in Discount Editing
https://notcve.org/view.php?id=CVE-2024-6073
24 Jun 2024 — The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin El complemento wp-cart-for-digital-products de WordPress anterior a 8.5.5 no sanitiza ni escapa un parámetro antes de devolverlo a la página, lo que genera Cross-Site Scripting Reflejado que podría usarse contra usuarios con privilegios elevados, como el adminis... • https://wpscan.com/vulnerability/f04994bc-9eef-46de-995b-8598f7a749c4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6074 – WP eStore < 8.5.5 - Reflected XSS in Customer Editing
https://notcve.org/view.php?id=CVE-2024-6074
24 Jun 2024 — The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin El complemento wp-cart-for-digital-products de WordPress anterior a 8.5.5 no sanitiza ni escapa un parámetro antes de devolverlo a la página, lo que genera Cross-Site Scripting Reflejado que podría usarse contra usuarios con privilegios elevados, como el adminis... • https://wpscan.com/vulnerability/e518af46-cb8e-43ff-a7c1-5300b36d9113 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6075 – WP eStore < 8.5.5 - Coupon Deletion via CSRF
https://notcve.org/view.php?id=CVE-2024-6075
24 Jun 2024 — The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks El complemento wp-cart-for-digital-products de WordPress anterior a 8.5.5 no tiene comprobaciones CSRF en algunos lugares, lo que podría permitir a los atacantes hacer que los usuarios que han iniciado sesión realicen acciones no deseadas a través de ataques CSRF. The WP eStore plugin for WordPress is vulnerable... • https://wpscan.com/vulnerability/b0e2658a-b075-48b6-a9d9-e141194117fc • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6076 – WP eStore < 8.5.5 - Reflected XSS in Category Editing
https://notcve.org/view.php?id=CVE-2024-6076
24 Jun 2024 — The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin El complemento wp-cart-for-digital-products de WordPress anterior a 8.5.5 no sanitiza ni escapa un parámetro antes de devolverlo a la página, lo que genera Cross-Site Scripting Reflejado que podría usarse contra usuarios con privilegios elevados, como el adminis... • https://wpscan.com/vulnerability/8369a2d8-1780-40c3-90ff-a826b9e9afd4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6497 – WordPress Simple Shopping Cart <= 4.7.1 - Authenticated(Administrator+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-6497
26 Jan 2024 — The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automatic redirect URL setting in all versions up to and including 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where u... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3007737%40wordpress-simple-paypal-shopping-cart&new=3007737%40wordpress-simple-paypal-shopping-cart&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22685 – WordPress Category Specific RSS feed Subscription Plugin <= v2.2 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-22685
19 Apr 2023 — Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Tips and Tricks HQ, Ruhul Amin Category Specific RSS feed Subscription plugin <= v2.2 versions. The Category Specific RSS feed Subscription plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web... • https://patchstack.com/database/vulnerability/category-specific-rss-feed-menu/wordpress-category-specific-rss-feed-subscription-plugin-v2-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1469 – WP Express Checkout <= 2.2.8 - Authenticated (Admin+) Stored Cross-Site Scripting via pec_coupon[code]
https://notcve.org/view.php?id=CVE-2023-1469
17 Mar 2023 — The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This can potentially be exploited by lower-privileged users if the `Admin Dashboard Access Per... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2879453%40wp-express-checkout&new=2879453%40wp-express-checkout&sfp_email=&sfph_mail= • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-1431 – WP Simple Shopping Cart <= 4.6.3 - Information Disclosure
https://notcve.org/view.php?id=CVE-2023-1431
16 Mar 2023 — The WP Simple Shopping Cart plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.6.3 due to the plugin saving shopping cart data exports in a publicly accessible location (/wp-content/plugins/wordpress-simple-paypal-shopping-cart/includes/admin/). This makes it possible for unauthenticated attackers to view information that should be limited to administrators only and can include data like first name, last name, email, address, IP Address, and more. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2878855%40wordpress-simple-paypal-shopping-cart&new=2878855%40wordpress-simple-paypal-shopping-cart&sfp_email=&sfph_mail= • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47588 – WordPress Simple Photo Gallery Plugin <= v1.8.1 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2022-47588
27 Jan 2023 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tips and Tricks HQ, Peter Petreski Simple Photo Gallery simple-photo-gallery allows SQL Injection.This issue affects Simple Photo Gallery: from n/a through v1.8.1. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ('Inyección SQL') en Tips and Tricks HQ, Peter Petreski Simple Photo Gallery simple-photo-gallery permite la inyección de SQL. Este problema afecta ... • https://patchstack.com/database/vulnerability/simple-photo-gallery/wordpress-simple-photo-gallery-plugin-v1-8-1-sql-injection?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •