129 matches found
CVE-2023-4948
The WooCommerce CVR Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refreshordercvrdata AJAX action in versions up to 6.1.0. This makes it possible for authenticated attackers with contributor-level access and above,...
CVE-2023-5132
The Soisy Pagamento Rateale plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the parseRemoteRequest function in versions up to, and including, 6.0.1. This makes it possible for unauthenticated attackers with knowledge of an existing WooCommerc...
CVE-2024-13623
The Order Export for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.24 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads...
CVE-2024-13623
The CVE-2024-13623 issue affects the WordPress plugin Order Export for WooCommerce. It allows unauthenticated attackers to exfiltrate sensitive data stored in the uploads directory, applicable to all versions up to 3.24. The vulnerability is conditional: it exists when Order data storage is set t...
CVE-2024-13457
The Event Tickets and Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.18.1 via the tc-order-id parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view ord...
MRW plugin information disclosure vulnerability
MRW plugin is a logistics transportation and services plugin from MRW Spain. An information disclosure vulnerability exists in MRW plugin version 5.4.3. A remote attacker could use this vulnerability to obtain order information from other customers and access sensitive information such as names a...
CVE-2023-6214
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.6 via the purchasedproducts function. This makes it possible for unauthenticatied attackers to extract sensitive data including the previous 7...
CVE-2023-6214
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.6 via the purchasedproducts function. This makes it possible for unauthenticatied attackers to extract sensitive data including the previous 7...
HT Mega < 2.4.7 - Unauthenticated Order Data Disclosure
Description The plugin is vulnerable to Sensitive Information Exposure via the purchasedproducts function, allowing unauthenticatied attackers to extract sensitive data including the previous 7 days of order data including products and customer PII...
CVE-2024-1289
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.6.3 due to missing validation on a user controlled key when looking up order information. This makes it possible for authenticated attackers to...
CVE-2024-1686
The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to missing authorization e in all versions up to, and including, 1.1.2 via the applylayout function due to a missing capability check. This makes it possible for authenticated attackers, with...
PT-2024-18222 · WordPress · The Thank You Page Customizer For Woocommerce
Name of the Vulnerable Software and Affected Versions: The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress versions up to, and including, 1.1.2 Description: The issue is related to missing authorization in the plugin, specifically due to a missing capability...
CVE-2023-46355
In the module "CSV Feeds PRO" csvfeeds 2.6.1 from Bl Modules for PrestaShop, a guest can download personal information without restriction. Due to too permissive access control which does not force administrator to use password on feeds, a guest can access exports from the module which can lead t...
CVE-2023-5132
The Soisy Pagamento Rateale plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the parseRemoteRequest function in versions up to, and including, 6.0.1. This makes it possible for unauthenticated attackers with knowledge of an existing WooCommerc...
CVE-2023-5132 Soisy Pagamento Rateale <= 6.0.1 - Missing Authorization to Sensitive Information Exposure
The Soisy Pagamento Rateale plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the parseRemoteRequest function in versions up to, and including, 6.0.1. This makes it possible for unauthenticated attackers with knowledge of an existing WooCommerc...
CVE-2023-4947
The WooCommerce EAN Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refreshordereandata AJAX action in versions up to 6.1.0. This makes it possible for authenticated attackers with contributor-level access and above,...
CVE-2021-4335
The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX functions in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with...
CVE-2023-5254
The ChatBot plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.8.9 via the qcldwbchatbotcheckuser function. This can allow unauthenticated attackers to extract sensitive data including confirmation as to whether a user name exists on the site ...
CVE-2023-43610
SQL injection vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with editor without setting authority or higher privilege to perform unintended database operations...
CVE-2023-43614
Cross-site scripting vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script...