Filtered by vendor Webtoffee
Subscribe
Total
37 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1973 | 1 Webtoffee | 1 Import Export Wordpress Users | 2025-07-09 | N/A | 4.9 MEDIUM |
| The Export and Import Users and Customers plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.6.2 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information. | |||||
| CVE-2025-1769 | 1 Webtoffee | 1 Product Import Export For Woocommerce | 2025-07-09 | N/A | 4.9 MEDIUM |
| The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.0 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information. | |||||
| CVE-2025-1911 | 1 Webtoffee | 1 Product Import Export For Woocommerce | 2025-07-09 | N/A | 2.7 LOW |
| The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server. | |||||
| CVE-2025-1912 | 1 Webtoffee | 1 Product Import Export For Woocommerce | 2025-07-09 | N/A | 7.6 HIGH |
| The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the validate_file() Function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | |||||
| CVE-2024-8397 | 1 Webtoffee | 1 Gdpr Cookie Consent | 2025-06-12 | N/A | 5.4 MEDIUM |
| The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not properly sanitize and escape the IP headers when logging them, allowing visitors to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Consent report' page and the malicious script is executed in the admin context. | |||||
| CVE-2024-8286 | 1 Webtoffee | 1 Gdpr Cookie Consent | 2025-06-12 | N/A | 6.5 MEDIUM |
| The webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting visit logs via CSRF attacks | |||||
| CVE-2024-13920 | 1 Webtoffee | 1 Order Export \& Order Import For Woocommerce | 2025-03-27 | N/A | 4.9 MEDIUM |
| The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.0 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information. | |||||
| CVE-2024-13923 | 1 Webtoffee | 1 Order Export \& Order Import For Woocommerce | 2025-03-26 | N/A | 7.6 HIGH |
| The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.0 via the validate_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | |||||
| CVE-2024-13922 | 1 Webtoffee | 1 Order Export \& Order Import For Woocommerce | 2025-03-26 | N/A | 2.7 LOW |
| The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server. | |||||
| CVE-2024-13921 | 1 Webtoffee | 1 Order Export \& Order Import For Woocommerce | 2025-03-26 | N/A | 7.2 HIGH |
| The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.0 via deserialization of untrusted input from the 'form_data' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | |||||
| CVE-2023-51546 | 1 Webtoffee | 1 Woocommerce Pdf Invoices\, Packing Slips\, Delivery Notes And Shipping Labels | 2025-02-11 | N/A | 7.2 HIGH |
| Improper Privilege Management vulnerability in WebToffee WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels allows Privilege Escalation.This issue affects WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels: from n/a through 4.2.1. | |||||
| CVE-2023-5738 | 1 Webtoffee | 1 Backup And Migration | 2024-11-21 | N/A | 5.4 MEDIUM |
| The WordPress Backup & Migration WordPress plugin before 1.4.4 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks. | |||||
| CVE-2023-5737 | 1 Webtoffee | 1 Backup And Migration | 2024-11-21 | N/A | 4.3 MEDIUM |
| The WordPress Backup & Migration WordPress plugin before 1.4.4 does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings. | |||||
| CVE-2023-4040 | 1 Webtoffee | 1 Stripe Payment Plugin For Woocommerce | 2024-11-21 | N/A | 5.3 MEDIUM |
| The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_callback_handler function in versions up to, and including, 3.7.9. This makes it possible for unauthenticated attackers to modify the order status of arbitrary WooCommerce orders. | |||||
| CVE-2020-12074 | 1 Webtoffee | 1 Import Export Wordpress Users | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The users-customers-import-export-for-wp-woocommerce plugin before 1.3.9 for WordPress allows subscribers to import administrative accounts via CSV. | |||||
| CVE-2019-15092 | 1 Webtoffee | 1 Import Export Wordpress Users | 2024-11-21 | 6.0 MEDIUM | 7.3 HIGH |
| The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class. | |||||
| CVE-2018-11526 | 1 Webtoffee | 1 Wordpress Comments Import And Export | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection. | |||||