CVE-2024-2838 – WPC Composite Products for WooCommerce <= 7.2.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-2838
The WPC Composite Products for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wooco_components[0][name]' parameter in all versions up to, and including, 7.2.7 due to insufficient input sanitization and output escaping and missing authorization on the ajax_save_components function. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento WPC Composite Products para WooCommerce para WordPress es vulnerable a Cross-Site Scripting Almacenado a través del parámetro 'wooco_components[0][nombre]' en todas las versiones hasta la 7.2.7 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Falta autorización en la función ajax_save_components. Esto hace posible que atacantes autenticados, con acceso a nivel de suscriptor y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset/3069973/wpc-composite-products/trunk/includes/class-wooco.php https://www.wordfence.com/threat-intel/vulnerabilities/id/d3bea017-9fc3-4e14-97c4-5bb525650cde?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-6494 – WPC Smart Quick View for WooCommerce <= 4.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-6494
The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. El complemento WPC Smart Quick View para WooCommerce para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de la configuración de administrador en todas las versiones hasta la 4.0.2 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con permisos de nivel de administrador y superiores, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3069323%40woo-smart-quick-view&new=3069323%40woo-smart-quick-view&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/45ac52e1-9f0e-499e-9125-2581940f5bdd?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-30537 – WordPress WPC Badge Management for WooCommerce plugin <= 2.4.0 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-30537
Missing Authorization vulnerability in WPClever WPC Badge Management for WooCommerce.This issue affects WPC Badge Management for WooCommerce: from n/a through 2.4.0. Vulnerabilidad de autorización faltante en WPClever WPC Badge Management para WooCommerce. Este problema afecta a WPC Badge Management para WooCommerce: desde n/a hasta 2.4.0. The WPC Badge Management for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action. • https://patchstack.com/database/vulnerability/wpc-badge-management/wordpress-wpc-badge-management-for-woocommerce-plugin-2-4-0-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVE-2023-52127 – WordPress WPC Product Bundles for WooCommerce Plugin <= 7.3.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-52127
Cross-Site Request Forgery (CSRF) vulnerability in WPClever WPC Product Bundles for WooCommerce.This issue affects WPC Product Bundles for WooCommerce: from n/a through 7.3.1. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en WPClever WPC Product Bundles for WooCommerce. Este problema afecta a WPC Product Bundles for WooCommerce: desde n/a hasta 7.3.1. The WPC Product Bundles for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.3.1. This is due to missing or incorrect nonce validation on several functions in /includes/class-woosb.php. • https://patchstack.com/database/vulnerability/woo-product-bundle/wordpress-wpc-product-bundles-for-woocommerce-plugin-7-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2023-34386 – WordPress WPC Smart Wishlist for WooCommerce Plugin <= 4.7.1 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2023-34386
Cross-Site Request Forgery (CSRF) vulnerability in WPClever WPC Smart Wishlist for WooCommerce plugin <= 4.7.1 versions. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el complemento WPClever WPC Smart Wishlist para WooCommerce en versiones <= 4.7.1. The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.7.1. This is due to missing or incorrect nonce validation on the wishlist_add and wishlist_remove functions. This makes it possible for unauthenticated attackers to add or remove wishlist items via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/woo-smart-wishlist/wordpress-wpc-smart-wishlist-for-woocommerce-plugin-4-6-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •