Filtered by vendor Woocommerce
Subscribe
Total
47 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-36511 | 1 Woocommerce | 1 Woocommerce Order Barcodes | 2024-02-05 | N/A | 8.8 HIGH |
Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Order Barcodes plugin <= 1.6.4 versions. | |||||
CVE-2023-36513 | 1 Woocommerce | 1 Automatewoo | 2024-02-05 | N/A | 8.8 HIGH |
Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce AutomateWoo plugin <= 5.7.5 versions. | |||||
CVE-2023-36514 | 1 Woocommerce | 1 Shipping Multiple Addresses | 2024-02-05 | N/A | 8.8 HIGH |
Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce Shipping Multiple Addresses plugin <= 3.8.5 versions. | |||||
CVE-2023-35880 | 1 Woocommerce | 1 Brands | 2024-02-05 | N/A | 8.8 HIGH |
Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Brands plugin <= 1.6.49 versions. | |||||
CVE-2023-33316 | 1 Woocommerce | 1 Automatewoo | 2024-02-04 | N/A | 8.8 HIGH |
Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Follow-Up Emails (AutomateWoo) plugin <= 4.9.40 versions. | |||||
CVE-2023-35917 | 1 Woocommerce | 1 Paypal Payments | 2024-02-04 | N/A | 8.8 HIGH |
Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce PayPal Payments plugin <= 2.0.4 versions. | |||||
CVE-2023-35918 | 1 Woocommerce | 1 Bulk Stock Management | 2024-02-04 | N/A | 6.1 MEDIUM |
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WooCommerce Bulk Stock Management plugin <= 2.2.33 versions. | |||||
CVE-2023-2179 | 1 Woocommerce | 1 Woocommerce Order Status Change Notifier | 2024-02-04 | N/A | 6.5 MEDIUM |
The WooCommerce Order Status Change Notifier WordPress plugin through 1.1.0 does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example | |||||
CVE-2023-33319 | 1 Woocommerce | 1 Automatewoo | 2024-02-04 | N/A | 6.1 MEDIUM |
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WooCommerce WooCommerce Follow-Up Emails (AutomateWoo) plugin <= 4.9.40 versions. | |||||
CVE-2022-2099 | 1 Woocommerce | 1 Woocommerce | 2024-02-04 | 3.5 LOW | 4.8 MEDIUM |
The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles | |||||
CVE-2021-24940 | 1 Woocommerce | 1 Persian-woocommerce | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue | |||||
CVE-2021-24938 | 1 Woocommerce | 1 Woocommerce Currency Switcher | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape the key parameter of the woocs_update_profiles_data AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected cross-Site Scripting issue | |||||
CVE-2021-24171 | 1 Woocommerce | 1 Upload Files | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
The WooCommerce Upload Files WordPress plugin before 59.4 ran a single sanitization pass to remove blocked extensions such as .php. It was possible to bypass this and upload a file with a PHP extension by embedding a "blocked" extension within another "blocked" extension in the "wcuf_file_name" parameter. It was also possible to perform a double extension attack and upload files to a different location via path traversal using the "wcuf_current_upload_session_id" parameter. | |||||
CVE-2021-24323 | 1 Woocommerce | 1 Woocommerce | 2024-02-04 | 3.5 LOW | 4.8 MEDIUM |
When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled | |||||
CVE-2021-32790 | 1 Woocommerce | 1 Woocommerce | 2024-02-04 | 4.0 MEDIUM | 4.9 MEDIUM |
Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of `/wp-json/wc/v3/webhooks`, `/wp-json/wc/v2/webhooks` and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting `search` parameter information can be disclosed using timing and related attacks. Version 3.3.6 is the earliest version of Woocommerce with a patch for this vulnerability. There are no known workarounds other than upgrading. | |||||
CVE-2021-24212 | 1 Woocommerce | 1 Help Scout | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
The WooCommerce Help Scout WordPress plugin before 2.9.1 (https://woocommerce.com/products/woocommerce-help-scout/) allows unauthenticated users to upload any files to the site which by default will end up in wp-content/uploads/hstmp. | |||||
CVE-2020-35627 | 1 Woocommerce | 1 Gift Cards | 2024-02-04 | 7.5 HIGH | 8.8 HIGH |
Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vulnerability in the Custom GiftCard Template that can remotely execute arbitrary code. Once it contains the function "Custom Gift Card Template", the function of uploading a custom image is used, changing the name of the image extension to PHP and executing PHP code on the server. | |||||
CVE-2020-29156 | 1 Woocommerce | 1 Woocommerce | 2024-02-04 | 5.0 MEDIUM | 5.3 MEDIUM |
The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. | |||||
CVE-2020-11497 | 1 Woocommerce | 1 Nab Transact | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in the NAB Transact extension 2.1.0 for the WooCommerce plugin for WordPress. An online payment system bypass allows orders to be marked as fully paid by assigning an arbitrary bank transaction ID during the payment-details entry step. | |||||
CVE-2019-20891 | 1 Woocommerce | 1 Woocommerce | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php. |