15 results (0.009 seconds)

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2

CVE-2024-8277 – WooCommerce Photo Reviews Premium <= 1.3.13.2 - Authentication Bypass to Account Takeover and Privilege Escalation

https://notcve.org/view.php?id=CVE-2024-8277

10 Sep 2024 — The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with ... • https://github.com/realbotnet/CVE-2024-8277 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

CVE-2024-4039 – Orders Tracking for WooCommerce <= 1.2.10 - Unauthenticated Arbitrary Shortcode Execution

https://notcve.org/view.php?id=CVE-2024-4039

09 May 2024 — The The Orders Tracking for WooCommerce plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.10. This is due to the plugin allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. A partial patch was released in 1.2.10, and a complete patch was released in 1.2.11. El complemento The Orders Tracking for Woo... • https://plugins.trac.wordpress.org/browser/woo-orders-tracking/trunk/includes/frontend/frontend.php#L55 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1

CVE-2023-50831 – WordPress CURCY Plugin <= 2.2.0 is vulnerable to Cross Site Scripting (XSS)

https://notcve.org/view.php?id=CVE-2023-50831

19 Dec 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme CURCY – Multi Currency for WooCommerce allows Stored XSS.This issue affects CURCY – Multi Currency for WooCommerce: from n/a through 2.2.0. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web ('Cross-site Scripting') en VillaTheme CURCY – Multi Currency for WooCommerce permite XSS almacenado. Este problema afecta a CURCY – Multi Currency for WooCommerce:... • https://patchstack.com/database/vulnerability/woo-multi-currency/wordpress-curcy-plugin-2-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-48778 – WordPress Product Size Chart For WooCommerce Plugin <= 1.1.5 is vulnerable to Cross Site Request Forgery (CSRF)

https://notcve.org/view.php?id=CVE-2023-48778

28 Nov 2023 — Cross-Site Request Forgery (CSRF) vulnerability in VillaTheme Product Size Chart For WooCommerce.This issue affects Product Size Chart For WooCommerce: from n/a through 1.1.5. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en VillaTheme Product Size Chart para WooCommerce. Este problema afecta a Product Size Chart para WooCommerce: desde n/a hasta 1.1.5. The Product Size Chart For WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.5. This ... • https://patchstack.com/database/vulnerability/product-size-chart-for-woo/wordpress-product-size-chart-for-woocommerce-plugin-1-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 1

CVE-2023-4216 – Orders Tracking for WooCommerce < 1.2.6 - Admin+ Arbitrary File Access/Read

https://notcve.org/view.php?id=CVE-2023-4216

14 Aug 2023 — The Orders Tracking for WooCommerce WordPress plugin before 1.2.6 doesn't validate the file_url parameter when importing a CSV file, allowing high privilege users with the manage_woocommerce capability to access any file on the web server via a Traversal attack. The content retrieved is however limited to the first line of the file. El plugin Orders Tracking for WooCommerce de WordPress versiones anteriores a 1.2.6 no valida el archivo_url parameter cuando se importa un archivo CSV, permitiendo a los usuari... • https://wpscan.com/vulnerability/8189afc4-17b3-4696-89e1-731011cb9e2b • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-30482 – WordPress WPBulky Plugin < 1.0.10 is vulnerable to Cross Site Scripting (XSS)

https://notcve.org/view.php?id=CVE-2023-30482

17 Jul 2023 — Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in VillaTheme WPBulky plugin <= 1.0.10 versions. Vulnerabilidad de Cross-Site Scripting (XSS) almacenado con necesidad de autenticación (permisos de contribuidor o superior) en el plugin VillaTheme WPBulky en versiones anteriores, e incluyendo la 1.0.10. The WPBulky plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.9 due to insufficient input sanitization via the 'sanitize' function whi... • https://patchstack.com/database/vulnerability/wpbulky-wp-bulk-edit-post-types/wordpress-wpbulky-plugin-1-0-10-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

CVE-2022-46810 – WordPress Thank You Page Customizer for WooCommerce – Increase Your Sales Plugin <= 1.0.13 is vulnerable to Cross Site Request Forgery (CSRF)

https://notcve.org/view.php?id=CVE-2022-46810

25 May 2023 — Cross-Site Request Forgery (CSRF) vulnerability in VillaTheme Thank You Page Customizer for WooCommerce – Increase Your Sales plugin <= 1.0.13 versions. Cross-Site Request Forgery (CSRF) vulnerability in VillaTheme Thank You Page Customizer for WooCommerce – Increase Your Sales plugin <= 1.0.13 versions. • https://patchstack.com/database/vulnerability/woo-thank-you-page-customizer/wordpress-thank-you-page-customizer-for-woocommerce-increase-your-sales-plugin-1-0-13-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

CVE-2022-46812 – WordPress Thank You Page Customizer for WooCommerce – Increase Your Sales Plugin <= 1.0.13 is vulnerable to Cross Site Request Forgery (CSRF)

https://notcve.org/view.php?id=CVE-2022-46812

22 Mar 2023 — Cross-Site Request Forgery (CSRF) vulnerability in VillaTheme Thank You Page Customizer for WooCommerce – Increase Your Sales plugin <= 1.0.13 versions. The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.13. This is due to missing or incorrect nonce validation on the send_email function. This makes it possible for unauthenticated attackers to send emails via a forged request granted they c... • https://patchstack.com/database/vulnerability/woo-thank-you-page-customizer/wordpress-thank-you-page-customizer-for-woocommerce-increase-your-sales-plugin-1-0-13-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2022-46806 – WordPress Cart All In One For WooCommerce Plugin <= 1.1.10 is vulnerable to Cross Site Request Forgery (CSRF)

https://notcve.org/view.php?id=CVE-2022-46806

14 Feb 2023 — Cross-Site Request Forgery (CSRF) vulnerability in VillaTheme Cart All In One For WooCommerce plugin <= 1.1.10 leading to cart modification. The Cart All In One For WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.10. This is due to missing or incorrect nonce validation on numerous functions in the 'VI_WOO_CART_ALL_IN_ONE_Frontend_Frontend' class. This makes it possible for unauthenticated attackers to get various information (such as menu ca... • https://patchstack.com/database/vulnerability/woo-cart-all-in-one/wordpress-cart-all-in-one-for-woocommerce-plugin-1-1-10-cross-site-request-forgery-csrf?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0

CVE-2022-44634 – WordPress S2W – Import Shopify to WooCommerce plugin <= 1.1.12 - Auth. Arbitrary File Read vulnerability

https://notcve.org/view.php?id=CVE-2022-44634

10 Nov 2022 — Auth. (admin+) Arbitrary File Read vulnerability in S2W – Import Shopify to WooCommerce plugin <= 1.1.12 on WordPress. Vulnerabilidad de lectura de archivos arbitrarios autenticada (con permisos de admin o superiores) en el complemento S2W de Import Shopify to WooCommerce en WordPress en versiones <= 1.1.12. The S2W – Import Shopify to WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.1.12, via insufficient restrictions in the 'generate_log_ajax' f... • https://patchstack.com/database/vulnerability/import-shopify-to-woocommerce/wordpress-s2w-import-shopify-to-woocommerce-plugin-1-1-12-auth-local-file-inclusion-lfi-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •