CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-1120 – NextMove Lite – Thank You Page for WooCommerce & Finale Lite – Sales Countdown Timer & Discount for WooCommerce <= 2.17.0 - Missing Authorization to Unauthenticated System Information Disclosure
https://notcve.org/view.php?id=CVE-2024-1120
The NextMove Lite – Thank You Page for WooCommerce and Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the download_tools_settings() function in all versions up to, and including, 2.17.0. This makes it possible for unauthenticated attackers to export system information that can aid attackers in an attack. Los complementos The NextMove Lite – Thank You Page for WooCommerce and Finale Lite – Sales Countdown Timer & Discount for WooCommerce para WordPress son vulnerables al acceso no autorizado a los datos debido a una falta de verificación de capacidad en la función download_tools_settings() en todas las versiones hasta e incluyendo , 2.17.0. Esto hace posible que atacantes no autenticados exporten información del sistema que puede ayudar a los atacantes en un ataque. • https://plugins.trac.wordpress.org/browser/finale-woocommerce-sales-countdown-timer-discount/trunk/includes/wcct-xl-support.php#L710 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3042127%40finale-woocommerce-sales-countdown-timer-discount&new=3042127%40finale-woocommerce-sales-countdown-timer-discount&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/3d9332be-2cf0-46cd-81e4-6436aeec0f83?source=cve • CWE-862: Missing Authorization •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39162 – WordPress User Email Verification for WooCommerce Plugin <= 3.5.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-39162
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in XLPlugins User Email Verification for WooCommerce plugin <= 3.5.0 versions. Se ha encontrado una vulnerabilidad de Cross-Site Scripting (XSS) reflejado no autenticado en el plugin de XLPlugins llamado User Email Verification para WooCommerce en versiones anteriores e incluyendo la 3.5.0. The User Email Verification for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/woo-confirmation-email/wordpress-user-email-verification-for-woocommerce-plugin-3-5-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •