5 matches found
CVE-2023-3365
CVE-2023-3365 affects MultiParcels Shipping For WooCommerce (WordPress plugin). The root cause is missing authorization checks when deleting shipments, enabling any authenticated user (e.g., subscribers) to delete arbitrary shipments. Public sources in connected documents confirm this vulnerabili...
CVE-2023-2843
CVE-2023-2843 affects the MultiParcels Shipping For WooCommerce WordPress plugin, vulnerable in versions before 1.14.15. A parameter is not properly sanitized/escaped before being used in an SQL statement, allowing authenticated users (e.g., subscribers) to perform SQL Injection. Root cause: impr...
CVE-2023-3671
CVE-2023-3671 affects the WordPress plugin MultiParcels Shipping For WooCommerce and is caused by insufficient sanitisation/escaping of parameters, leading to a reflected XSS. Vulnerable version range: before 1.15.4 (i.e., prior to plugin version 1.15.4). Impact stated: XSS could be exploited aga...
CVE-2023-3954
CVE-2023-3954 affects the MultiParcels Shipping For WooCommerce WordPress plugin prior to version 1.15.4. A Reflected XSS exists where an unsanitized parameter is output back to the page, enabling attack against admin/high-privilege users. A PoC is referenced in the connected exploit entry, illus...
CVE-2023-3366
The CVE-2023-3366 entry applies to the WordPress plugin MultiParcels Shipping For WooCommerce (versions before 1.15.2). The root cause is a missing CSRF check when deleting a shipment, enabling CSRF abuse to delete arbitrary shipments by any logged-in user. Impact is limited to CSRF-enabled actio...