4 matches found
CVE-2021-24993
The Ultimate Product Catalog WordPress plugin is affected pre-5.0.26 by missing authorization and CSRF checks in certain AJAX actions, allowing any authenticated user (e.g., a subscriber) to add arbitrary products or alter settings. Mitigation: update to version 5.0.26 or later; a PoC exists show...
CVE-2023-2711
The CVE-2023-2711 entry concerns the Ultimate Product Catalog WordPress plugin (prior to 5.2.6). The vulnerability arises because some settings are not properly sanitised/escaped, enabling stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (including multisi...
CVE-2017-12199
The CVE-2017-12199 entry documents a SQL injection in the WordPress plugin Etoile Ultimate Product Catalog (version 4.2.11). The vulnerability arises via multiple wp-admin/admin-ajax.php POST actions (catalogue_update_order, list-item, video_update_order, image_update_order, tag_group_update_orde...
CVE-2017-12200
The CVE-2017-12200 entry concerns the WordPress plugin Etoile Ultimate Product Catalog (version 4.2.11). A cross-site scripting (XSS) vulnerability exists in the Add Product Manually component, enabling a remote attacker to inject arbitrary web script or HTML. Details across sources confirm the a...