Search criteria
4 vulnerabilities found for Binary MLM Woocommerce by letscms
CVE-2024-12384 (GCVE-0-2024-12384)
Vulnerability from cvelistv5 – Published: 2025-01-07 05:24 – Updated: 2025-01-07 16:13
VLAI?
Title
Binary MLM Woocommerce <= 2.0 - Reflected Cross-Site Scripting via 'page'
Summary
The Binary MLM Woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page’ parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| letscms | Binary MLM Woocommerce |
Affected:
* , ≤ 2.0
(semver)
|
Credits
Dale Mavers
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T15:52:21.718424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:13:01.518Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Binary MLM Woocommerce",
"vendor": "letscms",
"versions": [
{
"lessThanOrEqual": "2.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dale Mavers"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Binary MLM Woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027page\u2019 parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T05:24:09.839Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fdf6b2ea-5a6a-481b-9431-650c895f54ef?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-binary-mlm/trunk/includes/admin/payout/payout-report.php#L44"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-binary-mlm/trunk/includes/admin/payout/payout-report.php#L121"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-binary-mlm/trunk/includes/admin/register-first-user.php#L82"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-06T16:22:39.000+00:00",
"value": "Disclosed"
}
],
"title": "Binary MLM Woocommerce \u003c= 2.0 - Reflected Cross-Site Scripting via \u0027page\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12384",
"datePublished": "2025-01-07T05:24:09.839Z",
"dateReserved": "2024-12-09T20:09:03.350Z",
"dateUpdated": "2025-01-07T16:13:01.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12383 (GCVE-0-2024-12383)
Vulnerability from cvelistv5 – Published: 2025-01-07 05:23 – Updated: 2025-01-07 16:15
VLAI?
Title
Binary MLM Woocommerce <= 2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Summary
The Binary MLM Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the 'bmw_display_pv_set_page' function and insufficient input sanitization and output escaping of the 'product_points' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| letscms | Binary MLM Woocommerce |
Affected:
* , ≤ 2.0
(semver)
|
Credits
Colin Xu
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12383",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T15:52:42.824523Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:15:02.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Binary MLM Woocommerce",
"vendor": "letscms",
"versions": [
{
"lessThanOrEqual": "2.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Colin Xu"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Binary MLM Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the \u0027bmw_display_pv_set_page\u0027 function and insufficient input sanitization and output escaping of the \u0027product_points\u0027 parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T05:23:56.899Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b061fbf2-4bb3-4ccc-ba90-1e947365435e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-binary-mlm/trunk/includes/admin/point_setting.php#L7"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-binary-mlm/trunk/includes/admin/point_setting.php#L92"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-binary-mlm/trunk/includes/admin/point_setting.php#L96"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-06T16:22:27.000+00:00",
"value": "Disclosed"
}
],
"title": "Binary MLM Woocommerce \u003c= 2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12383",
"datePublished": "2025-01-07T05:23:56.899Z",
"dateReserved": "2024-12-09T19:23:25.666Z",
"dateUpdated": "2025-01-07T16:15:02.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12384 (GCVE-0-2024-12384)
Vulnerability from nvd – Published: 2025-01-07 05:24 – Updated: 2025-01-07 16:13
VLAI?
Title
Binary MLM Woocommerce <= 2.0 - Reflected Cross-Site Scripting via 'page'
Summary
The Binary MLM Woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page’ parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| letscms | Binary MLM Woocommerce |
Affected:
* , ≤ 2.0
(semver)
|
Credits
Dale Mavers
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T15:52:21.718424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:13:01.518Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Binary MLM Woocommerce",
"vendor": "letscms",
"versions": [
{
"lessThanOrEqual": "2.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dale Mavers"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Binary MLM Woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027page\u2019 parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T05:24:09.839Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fdf6b2ea-5a6a-481b-9431-650c895f54ef?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-binary-mlm/trunk/includes/admin/payout/payout-report.php#L44"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-binary-mlm/trunk/includes/admin/payout/payout-report.php#L121"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-binary-mlm/trunk/includes/admin/register-first-user.php#L82"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-06T16:22:39.000+00:00",
"value": "Disclosed"
}
],
"title": "Binary MLM Woocommerce \u003c= 2.0 - Reflected Cross-Site Scripting via \u0027page\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12384",
"datePublished": "2025-01-07T05:24:09.839Z",
"dateReserved": "2024-12-09T20:09:03.350Z",
"dateUpdated": "2025-01-07T16:13:01.518Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-12383 (GCVE-0-2024-12383)
Vulnerability from nvd – Published: 2025-01-07 05:23 – Updated: 2025-01-07 16:15
VLAI?
Title
Binary MLM Woocommerce <= 2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Summary
The Binary MLM Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the 'bmw_display_pv_set_page' function and insufficient input sanitization and output escaping of the 'product_points' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| letscms | Binary MLM Woocommerce |
Affected:
* , ≤ 2.0
(semver)
|
Credits
Colin Xu
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12383",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T15:52:42.824523Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:15:02.519Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Binary MLM Woocommerce",
"vendor": "letscms",
"versions": [
{
"lessThanOrEqual": "2.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Colin Xu"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Binary MLM Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the \u0027bmw_display_pv_set_page\u0027 function and insufficient input sanitization and output escaping of the \u0027product_points\u0027 parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T05:23:56.899Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b061fbf2-4bb3-4ccc-ba90-1e947365435e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-binary-mlm/trunk/includes/admin/point_setting.php#L7"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-binary-mlm/trunk/includes/admin/point_setting.php#L92"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-binary-mlm/trunk/includes/admin/point_setting.php#L96"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-06T16:22:27.000+00:00",
"value": "Disclosed"
}
],
"title": "Binary MLM Woocommerce \u003c= 2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12383",
"datePublished": "2025-01-07T05:23:56.899Z",
"dateReserved": "2024-12-09T19:23:25.666Z",
"dateUpdated": "2025-01-07T16:15:02.519Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}