CVE-2013-2010

Public exploit
WordPress W3 Total Cache Plugin 0.9.2.8 has a Remote PHP Code Execution Vulnerability
Max CVSS
9.8
EPSS Score
96.98%
Published
2020-02-12
Updated
2020-02-14
A vulnerability was found in VaultPress Plugin up to 1.6.0 on WordPress. It has been declared as critical. Affected by this vulnerability is the function protect_aioseo_ajax of the file class.vaultpress-hotfixes.php of the component MailPoet Plugin. The manipulation leads to unrestricted upload. The attack can be launched remotely. Upgrading to version 1.6.1 is able to address this issue. The patch is named e3b92b14edca6291c5f998d54c90cbe98a1fb0e3. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-230263.
Max CVSS
9.8
EPSS Score
0.06%
Published
2023-06-01
Updated
2024-03-21

CVE-2023-28121

Public exploit
An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.
Max CVSS
9.8
EPSS Score
93.81%
Published
2023-04-12
Updated
2023-12-18
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 5.9.0.
Max CVSS
9.8
EPSS Score
0.08%
Published
2023-12-20
Updated
2023-12-29
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.1.
Max CVSS
9.8
EPSS Score
0.09%
Published
2024-01-05
Updated
2024-01-11
The WP Super Cache WordPress plugin before 1.7.2 was affected by an authenticated (admin+) RCE in the settings page due to input validation failure and weak $cache_path check in the WP Super Cache Settings -> Cache Location option. Direct access to the wp-cache-config.php file is not prohibited, so this vulnerability can be exploited for a web shell injection.
Max CVSS
9.0
EPSS Score
0.10%
Published
2021-04-05
Updated
2023-07-04
WordPress WP Super Cache Plugin 1.2 has Remote PHP Code Execution
Max CVSS
8.8
EPSS Score
4.12%
Published
2020-02-07
Updated
2020-02-10
WordPress W3 Super Cache Plugin before 1.3.2 contains a PHP code-execution vulnerability which could allow remote attackers to inject arbitrary code. This issue exists because of an incomplete fix for CVE-2013-2009.
Max CVSS
8.8
EPSS Score
1.77%
Published
2019-12-26
Updated
2020-01-02
In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes.
Max CVSS
8.8
EPSS Score
0.10%
Published
2019-01-15
Updated
2019-02-07
A buffer overflow is present in canvas version <= 1.6.9, which could lead to a Denial of Service or execution of arbitrary code when it processes a user-provided image.
Max CVSS
8.8
EPSS Score
0.33%
Published
2020-07-20
Updated
2020-07-23
The Jetpack CRM plugin for WordPress is vulnerable to PHAR deserialization via the ‘zbscrmcsvimpf’ parameter in the 'zeroBSCRM_CSVImporterLitehtml_app' function in versions up to, and including, 5.3.1. While the function performs a nonce check, steps 2 and 3 of the check do not take any action upon a failed check. These steps then perform a 'file_exists' check on the value of 'zbscrmcsvimpf'. If a phar:// archive is supplied, its contents will be deserialized and an object injected in the execution stream. This allows an unauthenticated attacker to obtain object injection if they are able to upload a phar archive (for instance if the site supports image uploads) and then trick an administrator into performing an action, such as clicking a link.
Max CVSS
8.8
EPSS Score
0.08%
Published
2023-10-20
Updated
2023-10-27
Auth. (contributor+) Privilege Escalation vulnerability in Crowdsignal Dashboard plugin <= 3.0.9 on WordPress.
Max CVSS
8.8
EPSS Score
0.08%
Published
2022-11-17
Updated
2023-06-27
The Jetpack WordPress plugin before 12.1.1 does not validate uploaded files, allowing users with author roles or above to manipulate existing files on the site, deleting arbitrary files, and in rare cases achieve Remote Code Execution via phar deserialization.
Max CVSS
8.8
EPSS Score
0.11%
Published
2023-06-27
Updated
2023-07-03
Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 2.0.3.
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-12-18
Updated
2023-12-22
Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce Canada Post Shipping Method.This issue affects Canada Post Shipping Method: from n/a through 2.8.3.
Max CVSS
8.8
EPSS Score
0.06%
Published
2023-12-18
Updated
2023-12-22
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6.
Max CVSS
8.2
EPSS Score
0.09%
Published
2023-12-20
Updated
2023-12-28
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Square.This issue affects WooCommerce Square: from n/a through 3.8.1.
Max CVSS
8.1
EPSS Score
0.05%
Published
2023-12-20
Updated
2023-12-28
SQL injection vulnerability in modules/sharedaddy.php in the Jetpack plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
Max CVSS
7.5
EPSS Score
0.06%
Published
2011-12-02
Updated
2017-08-29
The CampTix Event Ticketing plugin before 1.5 for WordPress allows CSV injection when the export tool is used.
Max CVSS
7.5
EPSS Score
0.16%
Published
2019-07-18
Updated
2019-07-18
The WooCommerce plugin through 3.x for WordPress has a Directory Traversal Vulnerability via a /wp-content/plugins/woocommerce/templates/emails/plain/ URI, which accesses a parent directory. NOTE: a software maintainer indicates that Directory Traversal is not possible because all of the template files have "if (!defined('ABSPATH')) {exit;}" code
Max CVSS
7.5
EPSS Score
0.49%
Published
2017-11-29
Updated
2024-03-21
A vulnerability, which was classified as critical, was found in VaultPress Plugin 1.8.4. This affects an unknown part. The manipulation leads to code injection. It is possible to initiate the attack remotely.
Max CVSS
7.5
EPSS Score
0.10%
Published
2022-06-23
Updated
2022-06-29
woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.
Max CVSS
7.5
EPSS Score
9.34%
Published
2021-07-26
Updated
2021-08-05
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 1.15.78.
Max CVSS
7.5
EPSS Score
0.09%
Published
2023-12-21
Updated
2023-12-30
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Woo Subscriptions.This issue affects Woo Subscriptions: from n/a through 5.1.2.
Max CVSS
7.5
EPSS Score
0.09%
Published
2023-12-20
Updated
2023-12-29
Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 5.9.0.
Max CVSS
7.5
EPSS Score
0.09%
Published
2023-12-20
Updated
2023-12-29
54 vulnerabilities found
1 2 3
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!