CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39666 – WordPress WooCommerce plugin <= 9.1.2 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-39666
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 9.1.2. The WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled. • https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-9-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35777 – WordPress WooCommerce plugin <= 8.9.2 - Content Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-35777
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Automattic WooCommerce allows Content Spoofing.This issue affects WooCommerce: from n/a through 8.9.2. Neutralización inadecuada de elementos especiales en la salida utilizados por una vulnerabilidad de componente posterior ('Injection') en Automattic WooCommerce permite la suplantación de contenido. Este problema afecta a WooCommerce: desde n/a hasta 8.9.2. The WooCommerce plugin for WordPress is vulnerable to content injection in all versions up to, and including, 8.9.2. This is due to the plugin not properly restricting/validating content. • https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-8-9-2-content-injection-vulnerability?_s_id=cve • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37297 – WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms
https://notcve.org/view.php?id=CVE-2024-37297
WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. • https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0 https://github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4 https://github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67 https://github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22155 – WordPress WooCommerce plugin <= 8.5.2 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-22155
Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.5.2. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Automattic WooCommerce. Este problema afecta a WooCommerce: desde n/a hasta 8.5.2. The WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.5.2. This is due to missing or incorrect nonce validation on a function. • https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-8-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1310 – WooCommerce < 8.6 - Contributor+ Private/Draft Products Access
https://notcve.org/view.php?id=CVE-2024-1310
The WooCommerce WordPress plugin before 8.6 does not prevent users with at least the contributor role from leaking products they shouldn't have access to. (e.g. private, draft and trashed products) El complemento WooCommerce WordPress anterior a 8.6 no impide que los usuarios con al menos el rol de colaborador filtren productos a los que no deberían tener acceso. (por ejemplo, productos privados, borradores y desechados) The WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to insufficient restrictions in the product shortcode in all versions up to, and including, 8.5.2. This makes it possible for authenticated attackers, with contributor-level access and above, to view private and draft products. • https://wpscan.com/vulnerability/a7735feb-876e-461c-9a56-ea6067faf277 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •