24 results (0.011 seconds)

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions. • https://github.com/woocommerce/woocommerce/pull/49370 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3115837%40woocommerce%2Ftrunk&old=3106873%40woocommerce%2Ftrunk&sfp_email=&sfph_mail= https://raw.githubusercontent.com/woocommerce/woocommerce/trunk/changelog.txt https://www.wordfence.com/threat-intel/vulnerabilities/id/b5dfe2a5-612f-4e6c-a639-4afcff2ffa4c?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 9.1.2. The WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-9-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Automattic WooCommerce allows Content Spoofing.This issue affects WooCommerce: from n/a through 8.9.2. Neutralización inadecuada de elementos especiales en la salida utilizados por una vulnerabilidad de componente posterior ('Injection') en Automattic WooCommerce permite la suplantación de contenido. Este problema afecta a WooCommerce: desde n/a hasta 8.9.2. The WooCommerce plugin for WordPress is vulnerable to content injection in all versions up to, and including, 8.9.2. This is due to the plugin not properly restricting/validating content. • https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-8-9-2-content-injection-vulnerability?_s_id=cve • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. • https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0 https://github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4 https://github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67 https://github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.5.2. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Automattic WooCommerce. Este problema afecta a WooCommerce: desde n/a hasta 8.5.2. The WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.5.2. This is due to missing or incorrect nonce validation on a function. • https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-8-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •