WordPress WP eStore plugin < 8.5.5 - Reflected XSS in Category Editing vulnerability

Reflected XSS in Category Editing vulnerability discovered by Bob Matyas in WordPress Plugin WP eStore versions 8.5.5...

WordPress WP eStore Plugin < 8.5.6 is vulnerable to Cross Site Request Forgery (CSRF)

Software WP eStore Type Plugin Vulnerable versions 8.5.6 Fixed in 8.5.6 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2024-6136 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID cbacff106a90 Credits Bob Matyas Required privileg...

WordPress WP eStore Plugin < 8.5.6 is vulnerable to Cross Site Scripting (XSS)

Software WP eStore Type Plugin Vulnerable versions 8.5.6 Fixed in 8.5.6 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-6133 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 0478cdd4af65 Credits Bob Matyas Required...

CVE-2024-6134 WP eStore < 8.5.6 - Reflected XSS in Product Editing

The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-6134

CVE-2024-6134 affects wp-cart-for-digital-products (WordPress plugin) prior to version 8.5.6. The vulnerability is a Reflected XSS caused by insufficient sanitization/escaping of a parameter before it is echoed on the page, potentially affecting high-privilege users (admin). The issue is publicly...

CVE-2024-6136

The CVE-2024-6136 entry concerns wp-cart-for-digital-products for WordPress (pre-8.5.6) lacking CSRF checks in certain areas, potentially enabling a logged-in attacker to cause unintended actions via CSRF. Public advisories from connected sources confirm the issue and note the impact is a CSRF vu...

CVE-2024-6133 WP eStore < 8.5.6 - Reflected XSS in Customer Search

The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-6136 WP eStore < 8.5.6 - Settings Reset via CSRF

The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

CVE-2024-6133 WP eStore < 8.5.6 - Reflected XSS in Customer Search

The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-6136 WP eStore < 8.5.6 - Settings Reset via CSRF

The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

CVE-2024-6133

The vulnerability CVE-2024-6133 affects the WordPress plugin wp-cart-for-digital-products (pre-8.5.6). The issue is a Reflected Cross-Site Scripting flaw where a parameter is not sanitized/escaped before output, potentially affecting high-privilege users (e.g., admins). Root cause: inadequate inp...

CVE-2024-6075 WP eStore < 8.5.5 - Coupon Deletion via CSRF

The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks...

CVE-2024-6074 WP eStore < 8.5.5 - Reflected XSS in Customer Editing

The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-6076 WP eStore < 8.5.5 - Reflected XSS in Category Editing

The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-6072 WP eStore < 8.5.5 - Reflected XSS via $_SERVER['REQUEST_URI']

The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...

CVE-2024-6073 WP eStore < 8.5.5 - Reflected XSS in Discount Editing

The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-6072 WP eStore < 8.5.5 - Reflected XSS via $_SERVER['REQUEST_URI']

The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers...