Search criteria
4 vulnerabilities found for Role Based Pricing for WooCommerce by Unknown
CVE-2022-3537 (GCVE-0-2022-3537)
Vulnerability from cvelistv5 – Published: 2022-11-07 00:00 – Updated: 2025-05-01 19:25
VLAI?
Title
Role Based Pricing for WooCommerce < 1.6.2 - Subscriber+ Arbitrary File Upload
Summary
The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP
Severity ?
8.8 (High)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Role Based Pricing for WooCommerce |
Affected:
1.6.2 , < 1.6.2
(custom)
|
Credits
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:01.998Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/696868f7-409d-422d-87f4-92fc6bf6e74e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3537",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T19:24:55.020932Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T19:25:31.411Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Role Based Pricing for WooCommerce",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.6.2",
"status": "affected",
"version": "1.6.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-07T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/696868f7-409d-422d-87f4-92fc6bf6e74e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Role Based Pricing for WooCommerce \u003c 1.6.2 - Subscriber+ Arbitrary File Upload",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3537",
"datePublished": "2022-11-07T00:00:00.000Z",
"dateReserved": "2022-10-17T00:00:00.000Z",
"dateUpdated": "2025-05-01T19:25:31.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3536 (GCVE-0-2022-3536)
Vulnerability from cvelistv5 – Published: 2022-11-07 00:00 – Updated: 2025-05-01 19:26
VLAI?
Title
Role Based Pricing for WooCommerce < 1.6.3 - Subscriber+ PHAR Deserialization
Summary
The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog
Severity ?
8.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Role Based Pricing for WooCommerce |
Affected:
1.6.3 , < 1.6.3
(custom)
|
Credits
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:02.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/6af63aab-b7a6-4ef6-8604-4b4b99467a34"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3536",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T19:26:22.550047Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T19:26:42.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Role Based Pricing for WooCommerce",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.6.3",
"status": "affected",
"version": "1.6.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-07T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/6af63aab-b7a6-4ef6-8604-4b4b99467a34"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Role Based Pricing for WooCommerce \u003c 1.6.3 - Subscriber+ PHAR Deserialization",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3536",
"datePublished": "2022-11-07T00:00:00.000Z",
"dateReserved": "2022-10-17T00:00:00.000Z",
"dateUpdated": "2025-05-01T19:26:42.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3537 (GCVE-0-2022-3537)
Vulnerability from nvd – Published: 2022-11-07 00:00 – Updated: 2025-05-01 19:25
VLAI?
Title
Role Based Pricing for WooCommerce < 1.6.2 - Subscriber+ Arbitrary File Upload
Summary
The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP
Severity ?
8.8 (High)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Role Based Pricing for WooCommerce |
Affected:
1.6.2 , < 1.6.2
(custom)
|
Credits
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:01.998Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/696868f7-409d-422d-87f4-92fc6bf6e74e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3537",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T19:24:55.020932Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T19:25:31.411Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Role Based Pricing for WooCommerce",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.6.2",
"status": "affected",
"version": "1.6.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-07T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/696868f7-409d-422d-87f4-92fc6bf6e74e"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Role Based Pricing for WooCommerce \u003c 1.6.2 - Subscriber+ Arbitrary File Upload",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3537",
"datePublished": "2022-11-07T00:00:00.000Z",
"dateReserved": "2022-10-17T00:00:00.000Z",
"dateUpdated": "2025-05-01T19:25:31.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-3536 (GCVE-0-2022-3536)
Vulnerability from nvd – Published: 2022-11-07 00:00 – Updated: 2025-05-01 19:26
VLAI?
Title
Role Based Pricing for WooCommerce < 1.6.3 - Subscriber+ PHAR Deserialization
Summary
The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog
Severity ?
8.8 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Role Based Pricing for WooCommerce |
Affected:
1.6.3 , < 1.6.3
(custom)
|
Credits
WPScan
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:14:02.420Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/6af63aab-b7a6-4ef6-8604-4b4b99467a34"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-3536",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T19:26:22.550047Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T19:26:42.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Role Based Pricing for WooCommerce",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.6.3",
"status": "affected",
"version": "1.6.3",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-07T00:00:00.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"url": "https://wpscan.com/vulnerability/6af63aab-b7a6-4ef6-8604-4b4b99467a34"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Role Based Pricing for WooCommerce \u003c 1.6.3 - Subscriber+ PHAR Deserialization",
"x_generator": "WPScan CVE Generator"
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2022-3536",
"datePublished": "2022-11-07T00:00:00.000Z",
"dateReserved": "2022-10-17T00:00:00.000Z",
"dateUpdated": "2025-05-01T19:26:42.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}