CVE-2024-32814 – WordPress Advanced Local Pickup for WooCommerce plugin <= 1.6.1 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-32814
Missing Authorization vulnerability in Zorem Advanced Local Pickup for WooCommerce.This issue affects Advanced Local Pickup for WooCommerce: from n/a through 1.6.1. Vulnerabilidad de autorización faltante en la recogida local avanzada de Zorem para WooCommerce. Este problema afecta a la recogida local avanzada para WooCommerce: desde n/a hasta 1.6.1. The Advanced Local Pickup for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_notices_for_alp_pro() function in versions up to, and including, 1.6.1. This makes it possible for unauthenticated attackers to dismiss upgrade notices • https://patchstack.com/database/vulnerability/advanced-local-pickup-for-woocommerce/wordpress-advanced-local-pickup-for-woocommerce-plugin-1-6-1-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVE-2024-31283 – WordPress Advanced Local Pickup for WooCommerce plugin <=1.6.2 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-31283
Missing Authorization vulnerability in zorem Advanced Local Pickup for WooCommerce.This issue affects Advanced Local Pickup for WooCommerce: from n/a through 1.6.2. Vulnerabilidad de autorización faltante en zorem Advanced Local Pickup for WooCommerce. Este problema afecta a la recogida local avanzada para WooCommerce: desde n/a hasta 1.6.2. The Advanced Local Pickup for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ~/include/customizer/customizer-admin.php file in versions up to, and including, 1.6.2. This makes it possible for unauthenticated attackers to update plugin settings and send test emails. • https://patchstack.com/database/vulnerability/advanced-local-pickup-for-woocommerce/wordpress-advanced-local-pickup-for-woocommerce-plugin-1-6-2-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVE-2023-2841 – Advanced Local Pickup for WooCommerce <= 1.5.5 - Authenticated (Administrator+) SQL Injection
https://notcve.org/view.php?id=CVE-2023-2841
The Advanced Local Pickup for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter in versions up to, and including, 1.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with admin-level privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. El complemento Advanced Local Pickup para WooCommerce para WordPress es vulnerable a la inyección SQL basada en tiempo a través del parámetro id en versiones hasta la 1.5.5 incluida debido a un escape insuficiente en el parámetro proporcionado por el usuario y a la falta de preparación suficiente en la consulta SQL existente. Esto hace posible que atacantes autenticados con privilegios de nivel de administrador agreguen consultas SQL adicionales a consultas ya existentes que pueden usarse para extraer información confidencial de la base de datos. • https://plugins.trac.wordpress.org/browser/advanced-local-pickup-for-woocommerce/trunk/include/wc-local-pickup-admin.php?rev=2889033#L447 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2986002%40advanced-local-pickup-for-woocommerce%2Ftrunk&old=2983681%40advanced-local-pickup-for-woocommerce%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/125e7ea3-574a-4760-b10b-7a98d94c87a5?source=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2022-40702 – WordPress Advanced Local Pickup for WooCommerce Plugin <= 1.5.2 is vulnerable to Broken Access Control
https://notcve.org/view.php?id=CVE-2022-40702
Missing Authorization vulnerability in Zorem Advanced Local Pickup for WooCommerce.This issue affects Advanced Local Pickup for WooCommerce: from n/a through 1.5.2. Vulnerabilidad de autorización faltante en Zorem Advanced Local Pickup for WooCommerce. Este problema afecta a Local Pickup for WooCommerce: desde n/a hasta 1.5.2. The Advanced Local Pickup for WooCommerce for WordPress is vulnerable to unauthorized access of AJAX actions due to a missing capability check on the functions wclp_update_state_dropdown_fun, wclp_update_work_hours_list_fun, wclp_update_edit_location_form_fun, and wclp_apply_work_hours_fun in versions up to, and including, 1.5.2. This makes it possible for subscriber-level attackers to invoke these functions and change plugin settings. • https://patchstack.com/database/vulnerability/advanced-local-pickup-for-woocommerce/wordpress-advanced-local-pickup-for-woocommerce-plugin-1-5-2-broken-access-control?_s_id=cve • CWE-862: Missing Authorization •