Filtered by vendor Woocommerce
Subscribe
Total
63 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24323 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled | |||||
| CVE-2021-24212 | 1 Woocommerce | 1 Help Scout | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The WooCommerce Help Scout WordPress plugin before 2.9.1 (https://woocommerce.com/products/woocommerce-help-scout/) allows unauthenticated users to upload any files to the site which by default will end up in wp-content/uploads/hstmp. | |||||
| CVE-2021-24171 | 1 Woocommerce | 1 Upload Files | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The WooCommerce Upload Files WordPress plugin before 59.4 ran a single sanitization pass to remove blocked extensions such as .php. It was possible to bypass this and upload a file with a PHP extension by embedding a "blocked" extension within another "blocked" extension in the "wcuf_file_name" parameter. It was also possible to perform a double extension attack and upload files to a different location via path traversal using the "wcuf_current_upload_session_id" parameter. | |||||
| CVE-2020-35627 | 1 Woocommerce | 1 Gift Cards | 2024-11-21 | 7.5 HIGH | 8.8 HIGH |
| Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vulnerability in the Custom GiftCard Template that can remotely execute arbitrary code. Once it contains the function "Custom Gift Card Template", the function of uploading a custom image is used, changing the name of the image extension to PHP and executing PHP code on the server. | |||||
| CVE-2020-29156 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. | |||||
| CVE-2020-11497 | 1 Woocommerce | 1 Nab Transact | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in the NAB Transact extension 2.1.0 for the WooCommerce plugin for WordPress. An online payment system bypass allows orders to be marked as fully paid by assigning an arbitrary bank transaction ID during the payment-details entry step. | |||||
| CVE-2019-9168 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| WooCommerce before 3.5.5 allows XSS via a Photoswipe caption. | |||||
| CVE-2019-7441 | 1 Woocommerce | 1 Paypal Checkout Payment Gateway | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.8 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE: The plugin author states it is true that the amount can be manipulated in the PayPal payment flow. However, the amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On Hold” state | |||||
| CVE-2019-20891 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php. | |||||
| CVE-2019-18834 | 1 Woocommerce | 1 Subscriptions | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent XSS in the WooCommerce Subscriptions plugin before 2.6.3 for WordPress allows remote attackers to execute arbitrary JavaScript because Billing Details are mishandled in WCS_Admin_Post_Types in class-wcs-admin-post-types.php. | |||||
| CVE-2019-14979 | 1 Woocommerce | 1 Paypal Checkout Payment Gateway | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE: The plugin author states it is true that the amount can be manipulated in the PayPal payment flow. However, the amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On Hold” state | |||||
| CVE-2019-14978 | 1 Woocommerce | 1 Payu India Payment Gateway | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| /payu/icpcheckout/ in the WooCommerce PayU India Payment Gateway plugin 2.1.1 for WordPress allows Parameter Tampering in the purchaseQuantity=1 parameter, as demonstrated by purchasing an item for lower than the intended price. | |||||
| CVE-2018-20714 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 5.5 MEDIUM | 8.1 HIGH |
| The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a shop manager can escalate privileges to admin. | |||||
| CVE-2017-18356 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes. | |||||
| CVE-2016-10987 | 1 Woocommerce | 1 Persian Woocommerce Sms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| The persian-woocommerce-sms plugin before 3.3.4 for WordPress has ps_sms_numbers XSS. | |||||
| CVE-2016-10112 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format. | |||||
| CVE-2015-2329 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted order. | |||||
| CVE-2015-10115 | 1 Woocommerce | 1 Sidebar Manager To Woosidebars Converter | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, was found in WooSidebars Sidebar Manager Converter Plugin up to 1.1.1 on WordPress. This affects the function process_request of the file classes/class-woosidebars-sbm-converter.php. The manipulation leads to open redirect. It is possible to initiate the attack remotely. Upgrading to version 1.1.2 is able to address this issue. The patch is named a0efb4ffb9dfe2925b889c1aa5ea40b4abbbda8a. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-230655. | |||||
| CVE-2015-10114 | 1 Woocommerce | 1 Woosidebars | 2024-11-21 | 5.0 MEDIUM | 4.3 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in WooSidebars Plugin up to 1.4.1 on WordPress. Affected by this issue is the function enable_custom_post_sidebars of the file classes/class-woo-sidebars.php. The manipulation of the argument sendback leads to open redirect. The attack may be launched remotely. Upgrading to version 1.4.2 is able to address this issue. The patch is identified as 1ac6d6ac26e185673f95fc1ccc56a392169ba601. It is recommended to upgrade the affected component. VDB-230654 is the identifier assigned to this vulnerability. | |||||
| CVE-2015-10113 | 1 Woocommerce | 1 Wooframework Tweaks | 2024-11-21 | 4.0 MEDIUM | 3.5 LOW |
| A vulnerability classified as problematic was found in WooFramework Tweaks Plugin up to 1.0.1 on WordPress. Affected by this vulnerability is the function admin_screen_logic of the file wooframework-tweaks.php. The manipulation of the argument url leads to open redirect. The attack can be launched remotely. Upgrading to version 1.0.2 is able to address this issue. The identifier of the patch is 3b57d405149c1a59d1119da6e0bb8212732c9c88. It is recommended to upgrade the affected component. The identifier VDB-230653 was assigned to this vulnerability. | |||||