cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-13519,https://securityvulnerability.io/vulnerability/CVE-2024-13519,Stored Cross-Site Scripting Vulnerability in MarketKing by WordPress,"The MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress presents a stored cross-site scripting vulnerability due to inadequate input sanitization and output escaping. This issue allows authenticated attackers with Shop Manager permissions and above to inject arbitrary scripts into plugin settings. The injected scripts can execute on any page accessed by users, posing a significant risk, especially in multi-site installations where unfiltered_html is disabled.",Wordpress,Marketking — Ultimate WooCommerce Multivendor Marketplace Solution,4.4,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-18T07:05:08.206Z,0
CVE-2024-13317,https://securityvulnerability.io/vulnerability/CVE-2024-13317,Cross-Site Request Forgery Vulnerability in ShipWorks Connector for WooCommerce by WordPress,"The ShipWorks Connector for WooCommerce plugin for WordPress has a vulnerability that allows unauthenticated attackers to exploit missing or incorrect nonce validation on the 'shipworks-wordpress' page. By tricking a site administrator into performing an action, such as clicking a malicious link, an attacker can update the service's username and password without authorization. This highlights the importance of implementing proper nonce validation to safeguard against CSRF attacks.",Wordpress,Shipworks Connector For WooCommerce,4.3,MEDIUM,0.0004600000102072954,false,,false,false,false,false,false,false,2025-01-18T07:05:07.700Z,0
CVE-2024-13355,https://securityvulnerability.io/vulnerability/CVE-2024-13355,Insufficient File Upload Validation in Admin and Customer Messages Plugin for WooCommerce,"The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress suffers from a lack of proper file type validation in its upload_file() function. This vulnerability affects all versions up to and including 13.2. Authenticated users with Subscriber-level access and above can exploit this weakness to upload potentially malicious files, leading to serious security risks such as remote code execution and confirmed Cross-Site Scripting vulnerabilities, putting affected sites at significant risk.",Wordpress,Admin And Customer Messages After Order For WooCommerce: Orderconvo,5.4,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-16T09:39:14.156Z,0
CVE-2024-12412,https://securityvulnerability.io/vulnerability/CVE-2024-12412,Stored Cross-Site Scripting Vulnerability in WpRently Plugin for WooCommerce by WordPress,"The WpRently plugin for WordPress, used for managing rentals and bookings with WooCommerce integration, is susceptible to a Stored Cross-Site Scripting vulnerability. This issue arises from insufficient input sanitization and output escaping related to the 'active_tab' parameter. Attackers without authentication can exploit this vulnerability to inject arbitrary web scripts into pages, which will execute when users access these compromised pages. This can lead to unauthorized access and manipulation of user data, highlighting the urgent need for addressing this security flaw in all versions up to and including 2.2.1.",Wordpress,"Rental And Booking Manager For Bike, Car, Dress, Resort With WooCommerce Integration – WPrently | WordPress Plugin",6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,false,false,false,2025-01-11T07:21:53.135Z,0
CVE-2024-12116,https://securityvulnerability.io/vulnerability/CVE-2024-12116,Information Exposure Vulnerability in Unlimited Theme Addon for Elementor and WooCommerce,"The Unlimited Theme Addon For Elementor and WooCommerce plugin for WordPress is susceptible to an information exposure issue through the 'uta-template' shortcode. This vulnerability arises from inadequate access controls which fail to restrict the visibility of private or draft posts created with Elementor. Authenticated users with Contributor-level access and above may exploit this weakness to gain unauthorized access to sensitive content that should remain private, potentially compromising data integrity and confidentiality.",Wordpress,Unlimited Theme Addon For Elementor And WooCommerce,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-11T07:21:52.245Z,0
CVE-2024-11815,https://securityvulnerability.io/vulnerability/CVE-2024-11815,Reflected Cross-Site Scripting Vulnerability in Pósturinn Shipping Plugin for WooCommerce,"The Pósturinn Shipping with WooCommerce plugin for WordPress is susceptible to a reflected cross-site scripting flaw. This vulnerability arises from poor sanitization of input data and improper escaping of output, allowing unauthenticated attackers to inject malicious scripts into web pages. If users are deceived into interacting with maliciously crafted links, the scripts can execute in their browsers, posing a significant risk to user data and site integrity. Affected users should update to the latest version to mitigate potential exploitation.",Wordpress,Pósturinn\&#039;s Shipping With WooCommerce,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,false,false,false,2025-01-09T11:11:00.678Z,0
CVE-2024-12218,https://securityvulnerability.io/vulnerability/CVE-2024-12218,Cross-Site Request Forgery Vulnerability in Woocommerce Shipping Plugin by WordPress,"The Woocommerce Check Pincode/Zipcode for Shipping plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) attacks across all versions up to and including 2.0.4. This vulnerability arises from insufficient or improper nonce validation, enabling unauthenticated attackers to exploit this flaw. If an attacker successfully deceives a site administrator into executing a malicious action, they could inject harmful web scripts via forged requests, potentially compromising the integrity and security of the website.",Wordpress,WooCommerce Check Pincode/zipcode For Shipping,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-09T11:10:58.656Z,0
CVE-2024-5769,https://securityvulnerability.io/vulnerability/CVE-2024-5769,Unauthorized Data Modification in MIMO WooCommerce Order Tracking Plugin for WordPress,"The MIMO WooCommerce Order Tracking plugin for WordPress has a vulnerability that allows authenticated attackers with Subscriber-level access and above to modify shipper tracking settings. This issue arises due to a lack of proper capability checks on several critical functions within the plugin. As a result, malicious users can add, update, or delete tracking information, potentially leading to misinformation or disruption of order tracking functionality.",Wordpress,Mimo WooCommerce Order Tracking,4.3,MEDIUM,0.0006799999973736703,false,,false,false,false,false,false,false,2025-01-09T11:10:56.814Z,0
CVE-2024-12222,https://securityvulnerability.io/vulnerability/CVE-2024-12222,Reflected Cross-Site Scripting Vulnerability in Deliver via Shipos for WooCommerce Plugin by WordPress,"The Deliver via Shipos for WooCommerce plugin for WordPress allows unauthenticated attackers to exploit a reflected cross-site scripting vulnerability through the 'dvsfw_bulk_label_url' parameter. This is due to inadequate input sanitization and output escaping mechanisms present in versions up to 2.1.7. If an attacker manages to deceive a user into clicking a crafted link, they can execute arbitrary web scripts, potentially compromising user data or session details.",Wordpress,Deliver Via Shipos For WooCommerce,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,false,false,false,2025-01-09T11:10:55.725Z,0
CVE-2024-12337,https://securityvulnerability.io/vulnerability/CVE-2024-12337,Reflected Cross-Site Scripting Vulnerability in Shipping via Planzer for WooCommerce Plugin,"The Shipping via Planzer for WooCommerce plugin for WordPress has a vulnerability that allows unauthenticated attackers to exploit reflected cross-site scripting through the ‘processed-ids’ parameter. All versions up to and including 1.0.25 are affected due to inadequate input sanitization and output escaping. This flaw enables attackers to inject arbitrary web scripts, potentially compromising the integrity of user interactions by tricking them into clicking manipulated links. To mitigate this threat, users are urged to update to the latest version of the plugin, where these security issues have been addressed.",Wordpress,Shipping Via Planzer For WooCommerce,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,false,false,false,2025-01-08T11:09:25.845Z,0
CVE-2024-11423,https://securityvulnerability.io/vulnerability/CVE-2024-11423,Unauthorized Data Modification in WooCommerce Gift Card Plugin by WordPress,"The Ultimate Gift Cards for WooCommerce plugin facilitates the creation and management of digital gift cards for e-commerce sites. However, a security flaw exists due to the absence of proper capability checks on multiple REST API endpoints (such as /wp-json/gifting/recharge-giftcard). This vulnerability enables attackers without authentication to alter gift card balances, recharge gift cards without payment, and unlawfully reduce gift card values, posing significant risks to both merchants and customers.",Wordpress,"Gift Cards For WooCommerce Pro,Ultimate Gift Cards For WooCommerce – Create WooCommerce Gift Cards, Gift Vouchers, Redeem & Manage Digital Gift Coupons. Offer Gift Certificates, Schedule Gift Cards, And Use Advance Coupons With Personalized Templates",7.5,HIGH,0.000539999979082495,false,,false,false,true,true,false,false,2025-01-08T11:09:24.799Z,0
CVE-2024-12532,https://securityvulnerability.io/vulnerability/CVE-2024-12532,Sensitive Information Exposure in BWD Elementor Addons Plugin for WordPress,"The BWD Elementor Addons plugin for WordPress contains a vulnerability in widgets/bwdeb-content-switcher.php that allows authenticated attackers with Contributor-level access and above to gain access to sensitive information. This includes private, pending, and draft template data, which could lead to potential data leakage or exploitation of user information. It is recommended that users of affected versions upgrade to the latest release to mitigate this risk.",Wordpress,"Bwd Elementor Addons (2500+ Presets, Meet The Team, Lottie, Lord Icon, Masking, WooCommerce, Theme Builder, Products, Blogs, Cv, Contact Form 7 Styler, Header, Slider, Hero Section)",4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-07T11:11:11.537Z,0
CVE-2024-12781,https://securityvulnerability.io/vulnerability/CVE-2024-12781,Unauthorized Data Modification in Aurum WordPress & WooCommerce Theme,"The Aurum theme for WordPress and WooCommerce has a vulnerability that allows for unauthorized modification of content due to a lack of capability checks in the 'lab_1cl_demo_install_package_content' function. This issue affects all versions up to and including 4.0.2, enabling authenticated attackers with a Subscriber-level account or above to overwrite data with demo content. This poses significant risks for site integrity and content management, making it essential for users to implement patches and updates.",Wordpress,Aurum - WordPress & WooCommerce Shopping Theme,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-07T06:40:59.272Z,0
CVE-2024-11725,https://securityvulnerability.io/vulnerability/CVE-2024-11725,Unauthorized Data Modification in WooCommerce Plugin for WordPress,"The SMS Alert Order Notifications plugin for WooCommerce allows for unauthorized data modification due to a missing capability check in the updateWcWarrantySettings() function. This vulnerability impacts all versions up to 3.7.6. Authenticated attackers with a subscriber-level role can exploit this to update arbitrary options on a WordPress site, including changing user registration roles to administrator. This opens the door for unauthorized administrative access if the woocommerce-warranty plugin is installed, posing a significant risk to site security.",Wordpress,Sms Alert Order Notifications – WooCommerce,8.8,HIGH,0.0008699999889358878,false,,false,false,false,false,false,false,2025-01-07T06:40:56.260Z,0
CVE-2024-12384,https://securityvulnerability.io/vulnerability/CVE-2024-12384,Reflected Cross-Site Scripting in Binary MLM Woocommerce Plugin for WordPress,"The Binary MLM Woocommerce plugin for WordPress exposes a vulnerability that allows for reflected cross-site scripting due to inadequate input sanitization and output escaping. Unauthenticated attackers can exploit this flaw by manipulating the 'page' parameter, leading to the injection of arbitrary web scripts. If a user is deceived into clicking a malicious link, the script may execute in their browser, compromising their session and potentially revealing sensitive information.",Wordpress,Binary Mlm WooCommerce,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-07T05:24:09.839Z,0
CVE-2024-12383,https://securityvulnerability.io/vulnerability/CVE-2024-12383,Cross-Site Request Forgery Vulnerability in Binary MLM Woocommerce Plugin for WordPress,"The Binary MLM Woocommerce plugin for WordPress exposes a critical security flaw due to inadequate nonce validation in the 'bmw_display_pv_set_page' function. This vulnerability allows unauthenticated attackers to exploit insufficient input sanitization and output escaping of the 'product_points' parameter, potentially injecting arbitrary web scripts through a maliciously crafted request. The exploitation of this vulnerability could lead to unauthorized actions on behalf of legitimate users, particularly if an administrator is tricked into clicking a deceptive link.",Wordpress,Binary Mlm WooCommerce,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-07T05:23:56.899Z,0
CVE-2024-12438,https://securityvulnerability.io/vulnerability/CVE-2024-12438,Reflected Cross-Site Scripting Vulnerability in WooCommerce Digital Content Delivery Plugin,"The WooCommerce Digital Content Delivery (FlickRocket) plugin for WordPress suffers from a reflected cross-site scripting vulnerability. This issue arises from inadequate input sanitization and output escaping on the 'start_date' and 'end_date' parameters. An unauthenticated attacker can exploit this flaw to inject arbitrary web scripts into web pages viewed by users. If the victim is manipulated into engaging with a crafted link, the malicious script will execute in their browser context, potentially facilitating various attacks, including data theft and session hijacking.",Wordpress,WooCommerce Digital Content Delivery (incl. Drm) – Flickrocket,6.1,MEDIUM,0.0007200000109151006,false,,false,false,false,false,false,false,2025-01-07T05:23:56.544Z,0
CVE-2024-11369,https://securityvulnerability.io/vulnerability/CVE-2024-11369,Reflected Cross-Site Scripting in Store Credit/Gift Cards for WooCommerce Plugin by WordPress,"The Store Credit / Gift Cards for WooCommerce plugin for WordPress is susceptible to a reflected cross-site scripting (XSS) vulnerability due to inadequate input sanitization and output escaping mechanisms. This flaw allows unauthenticated attackers to inject arbitrary web scripts into the pages, affecting users who interact with compromised links or inputs. Specifically, the vulnerability arises from the manipulation of the 'coupon', 'start_date', and 'end_date' parameters, impacting all versions up to and including 1.0.49.46.",Wordpress,Store Credit / Gift Cards For WooCommerce,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-07T05:23:53.299Z,0
CVE-2024-12435,https://securityvulnerability.io/vulnerability/CVE-2024-12435,Reflected Cross-Site Scripting in Compare Products for WooCommerce Plugin,"The Compare Products for WooCommerce plugin for WordPress is vulnerable to a Reflected Cross-Site Scripting (XSS) flaw through the 's_feature' parameter. This vulnerability arises from inadequate input sanitization and output escaping in all versions up to 3.2.1. By exploiting this weakness, unauthenticated attackers could inject malicious scripts into web pages. These scripts could execute within the user's browser if the attacker successfully persuades them to perform actions such as clicking on a specially crafted link, potentially compromising user data and site integrity.",Wordpress,Compare Products For WooCommerce,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-07T04:22:23.499Z,0
CVE-2024-12313,https://securityvulnerability.io/vulnerability/CVE-2024-12313,PHP Object Injection Vulnerability in Compare Products for WooCommerce Plugin,"The Compare Products for WooCommerce plugin for WordPress is susceptible to PHP Object Injection due to unsafe deserialization of untrusted input from the 'woo_compare_list' cookie across all versions up to and including 3.2.1. This vulnerability enables unauthenticated attackers to inject arbitrary PHP objects. While the vulnerable software lacks a known Point of Possibility (POP) chain, the risk escalates if additional plugins or themes are installed on the target system, potentially allowing attackers to execute arbitrary code, delete files, or access sensitive data.",Wordpress,Compare Products For WooCommerce,8.1,HIGH,0.0006300000241026282,false,,false,false,false,false,false,false,2025-01-07T04:22:01.100Z,0
CVE-2024-11378,https://securityvulnerability.io/vulnerability/CVE-2024-11378,Reflected Cross-Site Scripting in Bizapp for WooCommerce by WordPress,"The Bizapp for WooCommerce plugin exposes a vulnerability that allows for reflected cross-site scripting through the 'error' parameter. This issue arises due to inadequate input sanitization and output escaping. As a result, unauthenticated attackers can exploit this vulnerability to insert malicious scripts into web pages. Users may inadvertently execute these scripts when manipulated into clicking deceptive links, leading to potential account compromise and data theft.",Wordpress,Bizapp For WooCommerce,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,false,false,false,2025-01-07T04:21:58.656Z,0
CVE-2024-12214,https://securityvulnerability.io/vulnerability/CVE-2024-12214,Reflected Cross-Site Scripting in WooCommerce HSS Extension for Streaming Video,"The WooCommerce HSS Extension for Streaming Video plugin for WordPress suffers from a vulnerability that allows unauthenticated attackers to exploit the 'videolink' parameter. Due to inadequate input sanitization and output escaping, this flaw enables attackers to inject arbitrary web scripts into web pages. If a user is tricked into clicking a malicious link, the injected script can execute in their browser context, potentially leading to account compromises or unauthorized data access.",Wordpress,WooCommerce Hss Extension For Streaming Video,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,false,false,false,2025-01-07T04:21:57.210Z,0
CVE-2024-11465,https://securityvulnerability.io/vulnerability/CVE-2024-11465,"PHP Object Injection Vulnerability in Custom Product Tabs for WooCommerce Plugin by YIKES, Inc.","The Custom Product Tabs for WooCommerce plugin for WordPress is susceptible to a PHP Object Injection vulnerability through the deserialization of untrusted input found in the 'yikes_woo_products_tabs' post meta parameter. This could allow authenticated attackers with Shop Manager-level access or higher to inject malicious PHP Objects. No existing Property-Oriented Programming (POP) chain is identified within the vulnerable plugin; however, if a POP chain is facilitated by other plugins or themes on the target site, the attacker may gain the ability to delete arbitrary files, access sensitive information, or execute unauthorized code.",Wordpress,Custom Product Tabs For WooCommerce,7.2,HIGH,0.0009200000204145908,false,,false,false,false,false,false,false,2025-01-07T04:21:56.824Z,0
CVE-2024-12416,https://securityvulnerability.io/vulnerability/CVE-2024-12416,SQL Injection Vulnerability in Woomotiv Plugin for WooCommerce by WordPress,"The Live Sales Notification for WooCommerce - Woomotiv plugin for WordPress contains a SQL Injection vulnerability due to insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries. This security flaw affects all versions up to and including 3.6.1, allowing unauthenticated attackers to execute arbitrary SQL commands through manipulated cookies. Exploitation of this vulnerability could lead to unauthorized access and extraction of sensitive data from the database, posing significant risks to WordPress site operators.",Wordpress,Live Sales Notification For WooCommerce – Woomotiv,7.5,HIGH,0.0006000000284984708,false,,false,false,false,false,false,false,2025-01-07T03:21:56.673Z,0
CVE-2024-11934,https://securityvulnerability.io/vulnerability/CVE-2024-11934,Stored Cross-Site Scripting in Formaloo Form Maker & Customer Analytics Plugin for WordPress,"The Formaloo Form Maker & Customer Analytics plugin for WordPress has a vulnerability that allows attackers with Contributor-level access and above to inject arbitrary web scripts into pages. This issue arises from insufficient input sanitization and output escaping related to the 'address' parameter. As a result, when users access a page with a malicious script injected, it gets executed, potentially compromising user data and security.",Wordpress,Formaloo Form Maker & Customer Analytics For WordPress & WooCommerce,6.4,MEDIUM,0.0005300000193528831,false,,false,false,false,false,false,false,2025-01-07T03:21:54.579Z,0