CVE-2021-24323
- EPSS 0.74%
- Veröffentlicht 17.05.2021 17:15:08
- Zuletzt bearbeitet 21.11.2024 05:52:50
When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disable...
CVE-2020-29156
- EPSS 4.03%
- Veröffentlicht 27.12.2020 19:15:11
- Zuletzt bearbeitet 21.11.2024 05:23:44
The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.
CVE-2019-20891
- EPSS 0.53%
- Veröffentlicht 19.06.2020 21:15:10
- Zuletzt bearbeitet 21.11.2024 04:39:37
WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php.
CVE-2019-9168
- EPSS 0.98%
- Veröffentlicht 26.02.2019 00:29:00
- Zuletzt bearbeitet 21.11.2024 04:51:07
WooCommerce before 3.5.5 allows XSS via a Photoswipe caption.
CVE-2018-20714
- EPSS 1.84%
- Veröffentlicht 15.01.2019 16:29:00
- Zuletzt bearbeitet 21.11.2024 04:02:00
The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a sh...
CVE-2017-18356
- EPSS 1.96%
- Veröffentlicht 15.01.2019 16:29:00
- Zuletzt bearbeitet 21.11.2024 03:19:55
In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string t...
CVE-2015-2329
- EPSS 1.18%
- Veröffentlicht 08.02.2018 23:29:00
- Zuletzt bearbeitet 21.11.2024 02:27:13
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted order.
CVE-2016-10112
- EPSS 0.9%
- Veröffentlicht 04.01.2017 02:59:03
- Zuletzt bearbeitet 06.05.2026 22:30:45
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format.