WordPress WCFM - WooCommerce Frontend Manager plugin <= 6.7.25 - Insecure Direct Object References to Authenticated (Vendor+) Arbitrary Post/Product Manipulation vulnerability

WordPress WCFM - WooCommerce Frontend Manager plugin = 6.7.25 - Insecure Direct Object References to Authenticated Vendor+ Arbitrary Post/Product Manipulation vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin WCFM – Frontend Manager for...

WordPress Eyewear prescription form plugin <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Product Creation vulnerability

Missing Authorization to Unauthenticated Arbitrary WooCommerce Product Creation vulnerability discovered by WordFence in WordPress Plugin Eyewear prescription form versions = 6.0.1...

CVE-2023-26456

Users were able to set an arbitrary "product name" for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks. Accounts that were temporarily taken over could be configured to trigger persistent code...

Xingyuantu SparkShop 安全漏洞

Xingyuantu SparkShop is an open source shopping mall from the Chinese company Xingyuantu. A security vulnerability exists in Xingyuantu SparkShop v1.16, which stems from a flaw in the payment logic that allows an attacker to arbitrarily modify the number of products...

CVE-2023-26456

Users were able to set an arbitrary "product name" for OX Guard. The chosen value was not sufficiently sanitized before processing it at the user interface, allowing for indirect cross-site scripting attacks. Accounts that were temporarily taken over could be configured to trigger persistent code...

PT-2023-20649 · Ox Guard · Ox Guard

Name of the Vulnerable Software and Affected Versions: OX Guard affected versions not specified Description: The issue allows users to set an arbitrary "product name" for OX Guard, which was not sufficiently sanitized before processing it at the user interface. This enabled indirect cross-site...

WordPress Ultimate Product Catalog plugin <= 5.0.25 - Arbitrary Product Creation & Settings Update vulnerability

Arbitrary Product Creation & Settings Update vulnerability discovered by Krzysztof Zając in WordPress Ultimate Product Catalog plugin versions = 5.0.25. Solution Update the WordPress Ultimate Product Catalog plugin to the latest available version at least 5.0.26...

Ultimate Product Catalog < 5.0.26 - Subscriber+ Arbitrary Product Creation & Settings Update

The plugin does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example To add a product: fetch"https://example.com/wp-admin/admin-ajax.php",...

GHSA-378P-HRQ3-X4P3 Cross-site scripting in Shopizer

A reflected cross-site scripting XSS vulnerability in Shopizer before 2.17.0 allows remote attackers to inject arbitrary web script or HTML via the ref parameter to a page about an arbitrary product, e.g., a product/insert-product-name-here.html/ref= URL...

CVE-2019-8292

Online Store System v1.0 deleteproduct.php doesn't check to see if a user authtenticated or has administrative rights allowing arbitrary product deletion...

CVE-2019-8292

The CVE-2019-8292 entry concerns Online Store System v1.0 where delete_product.php fails to verify authentication or administrative privileges, enabling arbitrary product deletion. This is an access control flaw (no authentication checks or admin rights verification) that directly affects the del...

CVE-2019-8292

Online Store System v1.0 deleteproduct.php doesn't check to see if a user authtenticated or has administrative rights allowing arbitrary product deletion...

WordPress Dropshix plugin <= 4.0.11 - Arbitrary Product Import vulnerability

Arbitrary Product Import vulnerability found in WordPress Dropshix plugin versions = 4.0.11. Solution Update the WordPress Dropshix plugin to the latest available version at least 4.0.14...

Dropshix <= 4.0.11 - Arbitrary Product Import

Due to lack of authorisation and CSRF checks in the AJAX function xoxImportItem...