CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25929 – WordPress Product Catalog Mode For Woocommerce plugin <= 5.0.5 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-25929
Missing Authorization vulnerability in MultiVendorX Product Catalog Enquiry for WooCommerce by MultiVendorX.This issue affects Product Catalog Enquiry for WooCommerce by MultiVendorX: from n/a through 5.0.5. Vulnerabilidad de autorización faltante en MultiVendorX Product Catalog Enquiry for WooCommerce by MultiVendorX. Este problema afecta la consulta del catálogo de productos para WooCommerce de MultiVendorX: desde n/a hasta 5.0.5. The Product Catalog Enquiry for WooCommerce by MultiVendorX plugin for WordPress is vulnerable to cross-site request forgery due to an improper capability check on the 'catalog_permission' function in versions up to, and including, 5.0.5. While the REST endpoints are only initialized for administrator users, the fact that the 'catalog_permission' returns true means that the REST route is treated as unauthenticated and thus does not require a REST nonce. • https://patchstack.com/database/vulnerability/woocommerce-catalog-enquiry/wordpress-product-catalog-mode-for-woocommerce-plugin-5-0-5-broken-access-control-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50899 – Product Catalog Enquiry <= 5.0.2 - Missing Authorization
https://notcve.org/view.php?id=CVE-2023-50899
The Product Catalog Mode For Woocommerce plugin for WordPress is vulnerable to unauthorized access and modification of data due to an improper capability check on the catalog_rest_routes_react_module REST endpoints in all versions up to 5.0.3 (exclusive). This makes it possible for unauthenticated attackers to view data from admin tabs and save enquiries. • CWE-862: Missing Authorization •