Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
18 vulnerabilities by YITH
CVE-2023-46635 (GCVE-0-2023-46635)
Vulnerability from cvelistv5 – Published: 2025-01-02 12:00 – Updated: 2025-01-02 17:12
VLAI?
Title
WordPress YITH WooCommerce Product Add-Ons plugin <= 4.2.0 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in YITH YITH WooCommerce Product Add-Ons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.2.0.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITH | YITH WooCommerce Product Add-Ons |
Affected:
n/a , ≤ 4.2.0
(custom)
|
Credits
Elliot (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46635",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-02T17:12:22.758024Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T17:12:30.332Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "yith-woocommerce-product-add-ons",
"product": "YITH WooCommerce Product Add-Ons",
"vendor": "YITH",
"versions": [
{
"changes": [
{
"at": "4.2.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.2.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Elliot (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in YITH YITH WooCommerce Product Add-Ons allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.2.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in YITH YITH WooCommerce Product Add-Ons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T12:00:26.584Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/yith-woocommerce-product-add-ons/vulnerability/wordpress-yith-woocommerce-product-add-ons-plugin-4-2-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No patched version is available. No reply from the vendor."
}
],
"value": "No patched version is available. No reply from the vendor."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress YITH WooCommerce Product Add-Ons plugin \u003c= 4.2.0 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-46635",
"datePublished": "2025-01-02T12:00:26.584Z",
"dateReserved": "2023-10-24T13:10:46.641Z",
"dateUpdated": "2025-01-02T17:12:30.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36506 (GCVE-0-2023-36506)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:23 – Updated: 2024-12-13 20:51
VLAI?
Title
WordPress YITH WooCommerce Waitlist plugin <= 2.13.0 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in YITH YITH WooCommerce Waiting List allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH WooCommerce Waiting List: from n/a through 2.13.0.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITH | YITH WooCommerce Waiting List |
Affected:
n/a , ≤ 2.13.0
(custom)
|
Credits
thiennv (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36506",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T20:50:51.787402Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T20:51:09.979Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "yith-woocommerce-waiting-list",
"product": "YITH WooCommerce Waiting List",
"vendor": "YITH",
"versions": [
{
"changes": [
{
"at": "2.13.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.13.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "thiennv (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in YITH YITH WooCommerce Waiting List allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects YITH WooCommerce Waiting List: from n/a through 2.13.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in YITH YITH WooCommerce Waiting List allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH WooCommerce Waiting List: from n/a through 2.13.0."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T14:23:41.538Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/yith-woocommerce-waiting-list/vulnerability/wordpress-yith-woocommerce-waitlist-plugin-2-6-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "No patched version is available."
}
],
"value": "No patched version is available."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress YITH WooCommerce Waitlist plugin \u003c= 2.13.0 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-36506",
"datePublished": "2024-12-13T14:23:41.538Z",
"dateReserved": "2023-06-22T08:38:41.922Z",
"dateUpdated": "2024-12-13T20:51:09.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50448 (GCVE-0-2024-50448)
Vulnerability from cvelistv5 – Published: 2024-10-28 17:56 – Updated: 2026-04-01 15:36
VLAI?
Title
WordPress YITH WooCommerce Product Add-Ons plugin <= 4.14.1 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through <= 4.14.1.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITHEMES | YITH WooCommerce Product Add-Ons |
Affected:
0 , ≤ 4.14.1
(custom)
|
Date Public ?
2026-04-01 16:28
Credits
Le Ngoc Anh | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50448",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T20:01:17.581303Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T20:05:57.024Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "yith-woocommerce-product-add-ons",
"product": "YITH WooCommerce Product Add-Ons",
"vendor": "YITHEMES",
"versions": [
{
"changes": [
{
"at": "4.14.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.14.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Le Ngoc Anh | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:28:47.026Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons.\u003cp\u003eThis issue affects YITH WooCommerce Product Add-Ons: from n/a through \u003c= 4.14.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through \u003c= 4.14.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:36:51.851Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-product-add-ons/vulnerability/wordpress-yith-woocommerce-product-add-ons-plugin-4-14-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress YITH WooCommerce Product Add-Ons plugin \u003c= 4.14.1 - Reflected Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-50448",
"datePublished": "2024-10-28T17:56:18.964Z",
"dateReserved": "2024-10-24T07:26:07.770Z",
"dateUpdated": "2026-04-01T15:36:51.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-47350 (GCVE-0-2024-47350)
Vulnerability from cvelistv5 – Published: 2024-10-06 12:55 – Updated: 2026-04-01 15:35
VLAI?
Title
WordPress YITH WooCommerce Ajax Search plugin <= 2.8.0 - SQL Injection vulnerability
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YITHEMES YITH WooCommerce Ajax Search yith-woocommerce-ajax-search.This issue affects YITH WooCommerce Ajax Search: from n/a through <= 2.8.0.
Severity ?
No CVSS data available.
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITHEMES | YITH WooCommerce Ajax Search |
Affected:
0 , ≤ 2.8.0
(custom)
|
Date Public ?
2026-04-01 16:27
Credits
Hakiduck | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:yithemes:yith_woocommerce_ajax_search:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "yith_woocommerce_ajax_search",
"vendor": "yithemes",
"versions": [
{
"lessThanOrEqual": "2.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47350",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T13:41:42.816845Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T16:01:34.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "yith-woocommerce-ajax-search",
"product": "YITH WooCommerce Ajax Search",
"vendor": "YITHEMES",
"versions": [
{
"changes": [
{
"at": "2.8.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hakiduck | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:27:49.636Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in YITHEMES YITH WooCommerce Ajax Search yith-woocommerce-ajax-search.\u003cp\u003eThis issue affects YITH WooCommerce Ajax Search: from n/a through \u003c= 2.8.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in YITHEMES YITH WooCommerce Ajax Search yith-woocommerce-ajax-search.This issue affects YITH WooCommerce Ajax Search: from n/a through \u003c= 2.8.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:35:23.665Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-ajax-search/vulnerability/wordpress-yith-woocommerce-ajax-search-plugin-2-8-0-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress YITH WooCommerce Ajax Search plugin \u003c= 2.8.0 - SQL Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-47350",
"datePublished": "2024-10-06T12:55:16.832Z",
"dateReserved": "2024-09-24T13:01:14.080Z",
"dateUpdated": "2026-04-01T15:35:23.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-47367 (GCVE-0-2024-47367)
Vulnerability from cvelistv5 – Published: 2024-10-06 09:43 – Updated: 2026-04-01 15:35
VLAI?
Title
WordPress YITH WooCommerce Product Add-Ons plugin <= 4.13.0 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons allows Reflected XSS.This issue affects YITH WooCommerce Product Add-Ons: from n/a through <= 4.13.0.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITHEMES | YITH WooCommerce Product Add-Ons |
Affected:
0 , ≤ 4.13.0
(custom)
|
Date Public ?
2026-04-01 16:27
Credits
Le Ngoc Anh | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-47367",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-07T15:29:17.028573Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-07T15:29:26.580Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "yith-woocommerce-product-add-ons",
"product": "YITH WooCommerce Product Add-Ons",
"vendor": "YITHEMES",
"versions": [
{
"changes": [
{
"at": "4.13.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.13.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Le Ngoc Anh | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:27:51.992Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons allows Reflected XSS.\u003cp\u003eThis issue affects YITH WooCommerce Product Add-Ons: from n/a through \u003c= 4.13.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons allows Reflected XSS.This issue affects YITH WooCommerce Product Add-Ons: from n/a through \u003c= 4.13.0."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:35:27.856Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-product-add-ons/vulnerability/wordpress-yith-woocommerce-product-add-ons-plugin-4-13-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress YITH WooCommerce Product Add-Ons plugin \u003c= 4.13.0 - Reflected Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-47367",
"datePublished": "2024-10-06T09:43:52.856Z",
"dateReserved": "2024-09-24T13:01:41.750Z",
"dateUpdated": "2026-04-01T15:35:27.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-37943 (GCVE-0-2024-37943)
Vulnerability from cvelistv5 – Published: 2024-07-20 08:54 – Updated: 2026-04-01 15:34
VLAI?
Title
WordPress YITH WooCommerce Ajax Product Filter plugin <= 5.1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YITHEMES YITH WooCommerce Ajax Product Filter yith-woocommerce-ajax-navigation.This issue affects YITH WooCommerce Ajax Product Filter: from n/a through <= 5.1.0.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITHEMES | YITH WooCommerce Ajax Product Filter |
Affected:
0 , ≤ 5.1.0
(custom)
|
Date Public ?
2026-04-01 16:26
Credits
Rafie Muhammad | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37943",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-22T19:13:37.154512Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-22T19:15:10.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:04:24.227Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/yith-woocommerce-ajax-navigation/wordpress-yith-woocommerce-ajax-product-filter-plugin-5-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "yith-woocommerce-ajax-navigation",
"product": "YITH WooCommerce Ajax Product Filter",
"vendor": "YITHEMES",
"versions": [
{
"changes": [
{
"at": "5.2.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:26:43.465Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in YITHEMES YITH WooCommerce Ajax Product Filter yith-woocommerce-ajax-navigation.\u003cp\u003eThis issue affects YITH WooCommerce Ajax Product Filter: from n/a through \u003c= 5.1.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in YITHEMES YITH WooCommerce Ajax Product Filter yith-woocommerce-ajax-navigation.This issue affects YITH WooCommerce Ajax Product Filter: from n/a through \u003c= 5.1.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:34:35.473Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-ajax-navigation/vulnerability/wordpress-yith-woocommerce-ajax-product-filter-plugin-5-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress YITH WooCommerce Ajax Product Filter plugin \u003c= 5.1.0 - Reflected Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37943",
"datePublished": "2024-07-20T08:54:23.195Z",
"dateReserved": "2024-06-10T21:14:27.201Z",
"dateUpdated": "2026-04-01T15:34:35.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35680 (GCVE-0-2024-35680)
Vulnerability from cvelistv5 – Published: 2024-06-10 15:48 – Updated: 2026-04-01 15:34
VLAI?
Title
WordPress YITH WooCommerce Product Add-Ons plugin <= 4.9.2 - Content Injection vulnerability
Summary
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through <= 4.9.2.
Severity ?
No CVSS data available.
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITHEMES | YITH WooCommerce Product Add-Ons |
Affected:
0 , ≤ 4.9.2
(custom)
|
Date Public ?
2026-04-01 16:25
Credits
savphill | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:yithemes:yith_woocommerce_product_add-ons:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "yith_woocommerce_product_add-ons",
"vendor": "yithemes",
"versions": [
{
"lessThanOrEqual": "4.9.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35680",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T18:34:15.454647Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T18:35:56.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:14:53.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/yith-woocommerce-product-add-ons/wordpress-yith-woocommerce-product-add-ons-plugin-4-9-2-content-injection-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "yith-woocommerce-product-add-ons",
"product": "YITH WooCommerce Product Add-Ons",
"vendor": "YITHEMES",
"versions": [
{
"changes": [
{
"at": "4.9.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.9.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "savphill | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:25:59.152Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons.\u003cp\u003eThis issue affects YITH WooCommerce Product Add-Ons: from n/a through \u003c= 4.9.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through \u003c= 4.9.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:34:17.972Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-product-add-ons/vulnerability/wordpress-yith-woocommerce-product-add-ons-plugin-4-9-2-content-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress YITH WooCommerce Product Add-Ons plugin \u003c= 4.9.2 - Content Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-35680",
"datePublished": "2024-06-10T15:48:09.142Z",
"dateReserved": "2024-05-17T10:08:45.807Z",
"dateUpdated": "2026-04-01T15:34:17.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-30470 (GCVE-0-2024-30470)
Vulnerability from cvelistv5 – Published: 2024-06-09 10:51 – Updated: 2024-08-02 01:38
VLAI?
Title
WordPress YITH WooCommerce Account Funds Premium plugin <= 1.32.0 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in YITH YITH WooCommerce Account Funds Premium.This issue affects YITH WooCommerce Account Funds Premium: from n/a through 1.33.0.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITH | YITH WooCommerce Account Funds Premium |
Affected:
n/a , ≤ 1.33.0
(custom)
|
Credits
Dave Jong (Patchstack)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:yithemes:yith_woocommerce_account_funds_premium:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "yith_woocommerce_account_funds_premium",
"vendor": "yithemes",
"versions": [
{
"lessThanOrEqual": "1.33.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30470",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T15:43:38.856358Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T15:47:12.904Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:38:59.532Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/yith-woocommerce-account-funds-premium/wordpress-yith-woocommerce-account-funds-premium-plugin-1-32-0-broken-access-control-leading-to-arbitrary-funds-adding-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "YITH WooCommerce Account Funds Premium",
"vendor": "YITH",
"versions": [
{
"changes": [
{
"at": "1.34.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.33.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Dave Jong (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in YITH YITH WooCommerce Account Funds Premium.\u003cp\u003eThis issue affects YITH WooCommerce Account Funds Premium: from n/a through 1.33.0.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in YITH YITH WooCommerce Account Funds Premium.This issue affects YITH WooCommerce Account Funds Premium: from n/a through 1.33.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-09T10:51:38.527Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/yith-woocommerce-account-funds-premium/wordpress-yith-woocommerce-account-funds-premium-plugin-1-32-0-broken-access-control-leading-to-arbitrary-funds-adding-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.34.0 or a higher version."
}
],
"value": "Update to 1.34.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress YITH WooCommerce Account Funds Premium plugin \u003c= 1.32.0 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-30470",
"datePublished": "2024-06-09T10:51:38.527Z",
"dateReserved": "2024-03-27T07:10:19.559Z",
"dateUpdated": "2024-08-02T01:38:59.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-35698 (GCVE-0-2024-35698)
Vulnerability from cvelistv5 – Published: 2024-06-08 14:19 – Updated: 2026-04-01 15:34
VLAI?
Title
WordPress YITH WooCommerce Tab Manager plugin <= 1.35.0 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YITHEMES YITH WooCommerce Tab Manager yith-woocommerce-tab-manager.This issue affects YITH WooCommerce Tab Manager: from n/a through <= 1.35.0.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITHEMES | YITH WooCommerce Tab Manager |
Affected:
0 , ≤ 1.35.0
(custom)
|
Date Public ?
2026-04-01 16:26
Credits
savphill | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35698",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-06T02:45:17.827180Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-06T02:45:24.521Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:14:53.937Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/yith-woocommerce-tab-manager/wordpress-yith-woocommerce-tab-manager-plugin-1-35-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "yith-woocommerce-tab-manager",
"product": "YITH WooCommerce Tab Manager",
"vendor": "YITHEMES",
"versions": [
{
"changes": [
{
"at": "1.35.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.35.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "savphill | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:26:02.531Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in YITHEMES YITH WooCommerce Tab Manager yith-woocommerce-tab-manager.\u003cp\u003eThis issue affects YITH WooCommerce Tab Manager: from n/a through \u003c= 1.35.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in YITHEMES YITH WooCommerce Tab Manager yith-woocommerce-tab-manager.This issue affects YITH WooCommerce Tab Manager: from n/a through \u003c= 1.35.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:34:18.666Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-tab-manager/vulnerability/wordpress-yith-woocommerce-tab-manager-plugin-1-35-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress YITH WooCommerce Tab Manager plugin \u003c= 1.35.0 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-35698",
"datePublished": "2024-06-08T14:19:22.304Z",
"dateReserved": "2024-05-17T10:09:07.347Z",
"dateUpdated": "2026-04-01T15:34:18.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35732 (GCVE-0-2024-35732)
Vulnerability from cvelistv5 – Published: 2024-06-08 12:52 – Updated: 2026-04-01 15:34
VLAI?
Title
WordPress YITH Custom Login plugin <= 1.7.0 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YITHEMES YITH Custom Login yith-custom-login.This issue affects YITH Custom Login: from n/a through <= 1.7.0.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITHEMES | YITH Custom Login |
Affected:
0 , ≤ 1.7.0
(custom)
|
Date Public ?
2026-04-01 16:26
Credits
filime | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35732",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T17:41:19.398969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T17:41:31.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:14:53.965Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/yith-custom-login/wordpress-yith-custom-login-plugin-1-7-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "yith-custom-login",
"product": "YITH Custom Login",
"vendor": "YITHEMES",
"versions": [
{
"changes": [
{
"at": "1.7.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "filime | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:26:13.011Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in YITHEMES YITH Custom Login yith-custom-login.\u003cp\u003eThis issue affects YITH Custom Login: from n/a through \u003c= 1.7.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in YITHEMES YITH Custom Login yith-custom-login.This issue affects YITH Custom Login: from n/a through \u003c= 1.7.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:34:19.507Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/yith-custom-login/vulnerability/wordpress-yith-custom-login-plugin-1-7-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress YITH Custom Login plugin \u003c= 1.7.0 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-35732",
"datePublished": "2024-06-08T12:52:23.361Z",
"dateReserved": "2024-05-17T10:09:46.005Z",
"dateUpdated": "2026-04-01T15:34:19.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-34385 (GCVE-0-2024-34385)
Vulnerability from cvelistv5 – Published: 2024-06-03 11:41 – Updated: 2026-04-01 15:34
VLAI?
Title
WordPress YITH WooCommerce Wishlist plugin <= 3.32.0 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YITHEMES YITH WooCommerce Wishlist yith-woocommerce-wishlist.This issue affects YITH WooCommerce Wishlist: from n/a through <= 3.32.0.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITHEMES | YITH WooCommerce Wishlist |
Affected:
0 , ≤ 3.32.0
(custom)
|
Date Public ?
2026-04-01 16:25
Credits
savphill | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-34385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-06T02:48:21.215098Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-06T02:48:23.220Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:51:10.939Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/yith-woocommerce-wishlist/wordpress-yith-woocommerce-wishlist-plugin-3-32-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "yith-woocommerce-wishlist",
"product": "YITH WooCommerce Wishlist",
"vendor": "YITHEMES",
"versions": [
{
"changes": [
{
"at": "3.33.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.32.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "savphill | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:25:38.820Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in YITHEMES YITH WooCommerce Wishlist yith-woocommerce-wishlist.\u003cp\u003eThis issue affects YITH WooCommerce Wishlist: from n/a through \u003c= 3.32.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in YITHEMES YITH WooCommerce Wishlist yith-woocommerce-wishlist.This issue affects YITH WooCommerce Wishlist: from n/a through \u003c= 3.32.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:34:11.621Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-wishlist/vulnerability/wordpress-yith-woocommerce-wishlist-plugin-3-32-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress YITH WooCommerce Wishlist plugin \u003c= 3.32.0 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-34385",
"datePublished": "2024-06-03T11:41:00.230Z",
"dateReserved": "2024-05-02T11:32:47.762Z",
"dateUpdated": "2026-04-01T15:34:11.621Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32699 (GCVE-0-2024-32699)
Vulnerability from cvelistv5 – Published: 2024-04-24 15:00 – Updated: 2026-04-01 15:34
VLAI?
Title
WordPress YITH WooCommerce Compare plugin <= 2.37.0 - Cross Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare.This issue affects YITH WooCommerce Compare: from n/a through <= 2.37.0.
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITHEMES | YITH WooCommerce Compare |
Affected:
0 , ≤ 2.37.0
(custom)
|
Date Public ?
2026-04-01 16:25
Credits
Ngô Thiên An (ancorn_ from VNPT-VCI) | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wordpress:yith_woocommerce_compare:-:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "yith_woocommerce_compare",
"vendor": "wordpress",
"versions": [
{
"lessThanOrEqual": "2.37.0",
"status": "affected",
"version": "-",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32699",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-30T15:23:46.754301Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:50:43.483Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:20:34.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/yith-woocommerce-compare/wordpress-yith-woocommerce-compare-plugin-2-37-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "yith-woocommerce-compare",
"product": "YITH WooCommerce Compare",
"vendor": "YITHEMES",
"versions": [
{
"changes": [
{
"at": "2.38.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.37.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ng\u00f4 Thi\u00ean An (ancorn_ from VNPT-VCI) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:25:10.197Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare.\u003cp\u003eThis issue affects YITH WooCommerce Compare: from n/a through \u003c= 2.37.0.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare.This issue affects YITH WooCommerce Compare: from n/a through \u003c= 2.37.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:34:05.874Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-compare/vulnerability/wordpress-yith-woocommerce-compare-plugin-2-37-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "WordPress YITH WooCommerce Compare plugin \u003c= 2.37.0 - Cross Site Request Forgery (CSRF) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-32699",
"datePublished": "2024-04-24T15:00:57.371Z",
"dateReserved": "2024-04-17T08:56:01.507Z",
"dateUpdated": "2026-04-01T15:34:05.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-44633 (GCVE-0-2022-44633)
Vulnerability from cvelistv5 – Published: 2024-03-21 17:44 – Updated: 2024-08-03 13:54
VLAI?
Title
WordPress YITH WooCommerce Gift Cards Premium plugin <= 3.23.1 - Unauth. Gift Card Creation Leading to Stored XSS vulnerability
Summary
Missing Authorization vulnerability in YITH YITH WooCommerce Gift Cards Premium.This issue affects YITH WooCommerce Gift Cards Premium: from n/a through 3.23.1.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITH | YITH WooCommerce Gift Cards Premium |
Affected:
n/a , ≤ 3.23.1
(custom)
|
Credits
Dave Jong (Patchstack)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:yith:yith_woocommerce_gift_cards_premium:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "yith_woocommerce_gift_cards_premium",
"vendor": "yith",
"versions": [
{
"lessThanOrEqual": "3.23.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-44633",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-26T16:05:35.086331Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T17:10:24.753Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:54:04.012Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/yith-woocommerce-gift-cards-premium/wordpress-yith-woocommerce-gift-cards-premium-plugin-3-23-1-unauth-gift-card-creation-leading-to-stored-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "yith-woocommerce-gift-cards-premium",
"product": "YITH WooCommerce Gift Cards Premium",
"vendor": "YITH",
"versions": [
{
"changes": [
{
"at": "3.24.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.23.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Dave Jong (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in YITH YITH WooCommerce Gift Cards Premium.\u003cp\u003eThis issue affects YITH WooCommerce Gift Cards Premium: from n/a through 3.23.1.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in YITH YITH WooCommerce Gift Cards Premium.This issue affects YITH WooCommerce Gift Cards Premium: from n/a through 3.23.1.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-21T17:44:27.827Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/yith-woocommerce-gift-cards-premium/wordpress-yith-woocommerce-gift-cards-premium-plugin-3-23-1-unauth-gift-card-creation-leading-to-stored-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 3.24.0 or a higher version."
}
],
"value": "Update to 3.24.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress YITH WooCommerce Gift Cards Premium plugin \u003c= 3.23.1 - Unauth. Gift Card Creation Leading to Stored XSS vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-44633",
"datePublished": "2024-03-21T17:44:27.827Z",
"dateReserved": "2022-11-02T13:01:27.887Z",
"dateUpdated": "2024-08-03T13:54:04.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27994 (GCVE-0-2024-27994)
Vulnerability from cvelistv5 – Published: 2024-03-21 15:03 – Updated: 2026-04-01 15:33
VLAI?
Title
WordPress YITH WooCommerce Product Add-Ons plugin <= 4.5.0 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through <= 4.5.0.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITHEMES | YITH WooCommerce Product Add-Ons |
Affected:
0 , ≤ 4.5.0
(custom)
|
Date Public ?
2026-04-01 16:23
Credits
Yudistira Arya | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27994",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-25T16:23:51.639654Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T20:15:24.461Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:41:55.959Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/yith-woocommerce-product-add-ons/wordpress-yith-woocommerce-product-add-ons-plugin-4-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "yith-woocommerce-product-add-ons",
"product": "YITH WooCommerce Product Add-Ons",
"vendor": "YITHEMES",
"versions": [
{
"changes": [
{
"at": "4.6.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yudistira Arya | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:23:46.973Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons.\u003cp\u003eThis issue affects YITH WooCommerce Product Add-Ons: from n/a through \u003c= 4.5.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through \u003c= 4.5.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:33:44.727Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-product-add-ons/vulnerability/wordpress-yith-woocommerce-product-add-ons-plugin-4-5-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress YITH WooCommerce Product Add-Ons plugin \u003c= 4.5.0 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-27994",
"datePublished": "2024-03-21T15:03:11.763Z",
"dateReserved": "2024-02-29T05:40:20.605Z",
"dateUpdated": "2026-04-01T15:33:44.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-49777 (GCVE-0-2023-49777)
Vulnerability from cvelistv5 – Published: 2023-12-31 10:11 – Updated: 2024-08-02 22:01
VLAI?
Title
WordPress YITH WooCommerce Product Add-Ons Plugin <= 4.3.0 is vulnerable to PHP Object Injection
Summary
Deserialization of Untrusted Data vulnerability in YITH YITH WooCommerce Product Add-Ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.3.0.
Severity ?
9.1 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITH | YITH WooCommerce Product Add-Ons |
Affected:
n/a , ≤ 4.3.0
(custom)
|
Credits
Rafie Muhammad (Patchstack)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:25.864Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/yith-woocommerce-product-add-ons/wordpress-yith-woocommerce-product-add-ons-extra-options-plugin-4-3-0-php-object-injection-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "yith-woocommerce-product-add-ons",
"product": "YITH WooCommerce Product Add-Ons",
"vendor": "YITH",
"versions": [
{
"changes": [
{
"at": "4.3.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.3.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in YITH YITH WooCommerce Product Add-Ons.\u003cp\u003eThis issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.3.0.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in YITH YITH WooCommerce Product Add-Ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.3.0.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-31T10:11:30.776Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/yith-woocommerce-product-add-ons/wordpress-yith-woocommerce-product-add-ons-extra-options-plugin-4-3-0-php-object-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 4.3.1 or a higher version.\u003cbr\u003e"
}
],
"value": "Update to 4.3.1 or a higher version.\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress YITH WooCommerce Product Add-Ons Plugin \u003c= 4.3.0 is vulnerable to PHP Object Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-49777",
"datePublished": "2023-12-31T10:11:30.776Z",
"dateReserved": "2023-11-30T13:22:54.826Z",
"dateUpdated": "2024-08-02T22:01:25.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45359 (GCVE-0-2022-45359)
Vulnerability from cvelistv5 – Published: 2022-12-06 20:36 – Updated: 2025-02-20 19:48
VLAI?
Title
WordPress YITH WooCommerce Gift Cards Premium Plugin <= 3.19.0 is vulnerable to Arbitrary File Upload
Summary
Unauth. Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards premium plugin <= 3.19.0 on WordPress.
Severity ?
9.8 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITH | YITH WooCommerce Gift Cards |
Affected:
n/a , ≤ 3.19.0
(custom)
|
Credits
Dave Jong (Patchstack)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:09:56.765Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/yith-woocommerce-gift-cards-premium/wordpress-yith-woocommerce-gift-cards-premium-plugin-3-19-0-unauth-arbitrary-file-upload-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-45359",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-20T19:13:40.321115Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-20T19:48:21.629Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "YITH WooCommerce Gift Cards",
"vendor": "YITH",
"versions": [
{
"changes": [
{
"at": "3.20.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.19.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Dave Jong (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unauth. Arbitrary File Upload vulnerability in\u0026nbsp;YITH WooCommerce Gift Cards premium plugin \u0026lt;=\u0026nbsp;3.19.0 on WordPress."
}
],
"value": "Unauth. Arbitrary File Upload vulnerability in\u00a0YITH WooCommerce Gift Cards premium plugin \u003c=\u00a03.19.0 on WordPress."
}
],
"impacts": [
{
"capecId": "CAPEC-17",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-17 Using Malicious Files"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-06T20:36:51.978Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/yith-woocommerce-gift-cards-premium/wordpress-yith-woocommerce-gift-cards-premium-plugin-3-19-0-unauth-arbitrary-file-upload-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;3.20.0 or higher version."
}
],
"value": "Update to\u00a03.20.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress YITH WooCommerce Gift Cards Premium Plugin \u003c= 3.19.0 is vulnerable to Arbitrary File Upload",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-45359",
"datePublished": "2022-12-06T20:36:45.061Z",
"dateReserved": "2022-11-14T12:58:52.279Z",
"dateUpdated": "2025-02-20T19:48:21.629Z",
"requesterUserId": "d8dbf4e1-529d-4720-9217-aa8466b80059",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36845 (GCVE-0-2021-36845)
Vulnerability from cvelistv5 – Published: 2021-09-27 15:36 – Updated: 2025-03-28 16:49
VLAI?
Title
YITH Maintenance Mode (WordPress plugin) <= 1.3.8 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities
Summary
Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions <= 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. Vulnerable parameters: 1 - "Newsletter" tab, &yith_maintenance_newsletter_submit_label parameter: payload should start with a single quote (') symbol to break the context, i.e.: NOTIFY ME' autofocus onfocus=alert(/Visse/);// v=' - this payload will be auto triggered while admin visits this page/tab. 2 - "General" tab issues, vulnerable parameters: &yith_maintenance_message, &yith_maintenance_custom_style, &yith_maintenance_mascotte, &yith_maintenance_title_font[size], &yith_maintenance_title_font[family], &yith_maintenance_title_font[color], &yith_maintenance_paragraph_font[size], &yith_maintenance_paragraph_font[family], &yith_maintenance_paragraph_font[color], &yith_maintenance_border_top. 3 - "Background" tab issues, vulnerable parameters: &yith_maintenance_background_image, &yith_maintenance_background_color. 4 - "Logo" tab issues, vulnerable parameters: &yith_maintenance_logo_image, &yith_maintenance_logo_tagline, &yith_maintenance_logo_tagline_font[size], &yith_maintenance_logo_tagline_font[family], &yith_maintenance_logo_tagline_font[color]. 5 - "Newsletter" tab issues, vulnerable parameters: &yith_maintenance_newsletter_email_font[size], &yith_maintenance_newsletter_email_font[family], &yith_maintenance_newsletter_email_font[color], &yith_maintenance_newsletter_submit_font[size], &yith_maintenance_newsletter_submit_font[family], &yith_maintenance_newsletter_submit_font[color], &yith_maintenance_newsletter_submit_background, &yith_maintenance_newsletter_submit_background_hover, &yith_maintenance_newsletter_title, &yith_maintenance_newsletter_action, &yith_maintenance_newsletter_email_label, &yith_maintenance_newsletter_email_name, &yith_maintenance_newsletter_submit_label, &yith_maintenance_newsletter_hidden_fields. 6 - "Socials" tab issues, vulnerable parameters: &yith_maintenance_socials_facebook, &yith_maintenance_socials_twitter, &yith_maintenance_socials_gplus, &yith_maintenance_socials_youtube, &yith_maintenance_socials_rss, &yith_maintenance_socials_skype, &yith_maintenance_socials_email, &yith_maintenance_socials_behance, &yith_maintenance_socials_dribble, &yith_maintenance_socials_flickr, &yith_maintenance_socials_instagram, &yith_maintenance_socials_pinterest, &yith_maintenance_socials_tumblr, &yith_maintenance_socials_linkedin.
Severity ?
6.9 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITH | YITH Maintenance Mode (WordPress plugin) |
Affected:
<= 1.3.8 , ≤ 1.3.8
(custom)
|
Date Public ?
2021-09-23 00:00
Credits
Original researcher - Vlad Visse (Patchstack), research based on previously reported vulnerability by Asif Nawaz Minhas (Patchstack Red Team)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.769Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/yith-maintenance-mode/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/yith-maintenance-mode/wordpress-yith-maintenance-mode-plugin-1-3-8-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36845",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T16:49:24.310788Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T16:49:27.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "YITH Maintenance Mode (WordPress plugin)",
"vendor": "YITH",
"versions": [
{
"lessThanOrEqual": "1.3.8",
"status": "affected",
"version": "\u003c= 1.3.8",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Original researcher - Vlad Visse (Patchstack), research based on previously reported vulnerability by Asif Nawaz Minhas (Patchstack Red Team)"
}
],
"datePublic": "2021-09-23T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions \u003c= 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. Vulnerable parameters: 1 - \"Newsletter\" tab, \u0026yith_maintenance_newsletter_submit_label parameter: payload should start with a single quote (\u0027) symbol to break the context, i.e.: NOTIFY ME\u0027 autofocus onfocus=alert(/Visse/);// v=\u0027 - this payload will be auto triggered while admin visits this page/tab. 2 - \"General\" tab issues, vulnerable parameters: \u0026yith_maintenance_message, \u0026yith_maintenance_custom_style, \u0026yith_maintenance_mascotte, \u0026yith_maintenance_title_font[size], \u0026yith_maintenance_title_font[family], \u0026yith_maintenance_title_font[color], \u0026yith_maintenance_paragraph_font[size], \u0026yith_maintenance_paragraph_font[family], \u0026yith_maintenance_paragraph_font[color], \u0026yith_maintenance_border_top. 3 - \"Background\" tab issues, vulnerable parameters: \u0026yith_maintenance_background_image, \u0026yith_maintenance_background_color. 4 - \"Logo\" tab issues, vulnerable parameters: \u0026yith_maintenance_logo_image, \u0026yith_maintenance_logo_tagline, \u0026yith_maintenance_logo_tagline_font[size], \u0026yith_maintenance_logo_tagline_font[family], \u0026yith_maintenance_logo_tagline_font[color]. 5 - \"Newsletter\" tab issues, vulnerable parameters: \u0026yith_maintenance_newsletter_email_font[size], \u0026yith_maintenance_newsletter_email_font[family], \u0026yith_maintenance_newsletter_email_font[color], \u0026yith_maintenance_newsletter_submit_font[size], \u0026yith_maintenance_newsletter_submit_font[family], \u0026yith_maintenance_newsletter_submit_font[color], \u0026yith_maintenance_newsletter_submit_background, \u0026yith_maintenance_newsletter_submit_background_hover, \u0026yith_maintenance_newsletter_title, \u0026yith_maintenance_newsletter_action, \u0026yith_maintenance_newsletter_email_label, \u0026yith_maintenance_newsletter_email_name, \u0026yith_maintenance_newsletter_submit_label, \u0026yith_maintenance_newsletter_hidden_fields. 6 - \"Socials\" tab issues, vulnerable parameters: \u0026yith_maintenance_socials_facebook, \u0026yith_maintenance_socials_twitter, \u0026yith_maintenance_socials_gplus, \u0026yith_maintenance_socials_youtube, \u0026yith_maintenance_socials_rss, \u0026yith_maintenance_socials_skype, \u0026yith_maintenance_socials_email, \u0026yith_maintenance_socials_behance, \u0026yith_maintenance_socials_dribble, \u0026yith_maintenance_socials_flickr, \u0026yith_maintenance_socials_instagram, \u0026yith_maintenance_socials_pinterest, \u0026yith_maintenance_socials_tumblr, \u0026yith_maintenance_socials_linkedin."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-27T15:36:56.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/yith-maintenance-mode/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://patchstack.com/database/vulnerability/yith-maintenance-mode/wordpress-yith-maintenance-mode-plugin-1-3-8-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.4.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "YITH Maintenance Mode (WordPress plugin) \u003c= 1.3.8 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-09-23T11:55:00.000Z",
"ID": "CVE-2021-36845",
"STATE": "PUBLIC",
"TITLE": "YITH Maintenance Mode (WordPress plugin) \u003c= 1.3.8 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "YITH Maintenance Mode (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 1.3.8",
"version_value": "1.3.8"
}
]
}
}
]
},
"vendor_name": "YITH"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Original researcher - Vlad Visse (Patchstack), research based on previously reported vulnerability by Asif Nawaz Minhas (Patchstack Red Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions \u003c= 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. Vulnerable parameters: 1 - \"Newsletter\" tab, \u0026yith_maintenance_newsletter_submit_label parameter: payload should start with a single quote (\u0027) symbol to break the context, i.e.: NOTIFY ME\u0027 autofocus onfocus=alert(/Visse/);// v=\u0027 - this payload will be auto triggered while admin visits this page/tab. 2 - \"General\" tab issues, vulnerable parameters: \u0026yith_maintenance_message, \u0026yith_maintenance_custom_style, \u0026yith_maintenance_mascotte, \u0026yith_maintenance_title_font[size], \u0026yith_maintenance_title_font[family], \u0026yith_maintenance_title_font[color], \u0026yith_maintenance_paragraph_font[size], \u0026yith_maintenance_paragraph_font[family], \u0026yith_maintenance_paragraph_font[color], \u0026yith_maintenance_border_top. 3 - \"Background\" tab issues, vulnerable parameters: \u0026yith_maintenance_background_image, \u0026yith_maintenance_background_color. 4 - \"Logo\" tab issues, vulnerable parameters: \u0026yith_maintenance_logo_image, \u0026yith_maintenance_logo_tagline, \u0026yith_maintenance_logo_tagline_font[size], \u0026yith_maintenance_logo_tagline_font[family], \u0026yith_maintenance_logo_tagline_font[color]. 5 - \"Newsletter\" tab issues, vulnerable parameters: \u0026yith_maintenance_newsletter_email_font[size], \u0026yith_maintenance_newsletter_email_font[family], \u0026yith_maintenance_newsletter_email_font[color], \u0026yith_maintenance_newsletter_submit_font[size], \u0026yith_maintenance_newsletter_submit_font[family], \u0026yith_maintenance_newsletter_submit_font[color], \u0026yith_maintenance_newsletter_submit_background, \u0026yith_maintenance_newsletter_submit_background_hover, \u0026yith_maintenance_newsletter_title, \u0026yith_maintenance_newsletter_action, \u0026yith_maintenance_newsletter_email_label, \u0026yith_maintenance_newsletter_email_name, \u0026yith_maintenance_newsletter_submit_label, \u0026yith_maintenance_newsletter_hidden_fields. 6 - \"Socials\" tab issues, vulnerable parameters: \u0026yith_maintenance_socials_facebook, \u0026yith_maintenance_socials_twitter, \u0026yith_maintenance_socials_gplus, \u0026yith_maintenance_socials_youtube, \u0026yith_maintenance_socials_rss, \u0026yith_maintenance_socials_skype, \u0026yith_maintenance_socials_email, \u0026yith_maintenance_socials_behance, \u0026yith_maintenance_socials_dribble, \u0026yith_maintenance_socials_flickr, \u0026yith_maintenance_socials_instagram, \u0026yith_maintenance_socials_pinterest, \u0026yith_maintenance_socials_tumblr, \u0026yith_maintenance_socials_linkedin."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/yith-maintenance-mode/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/yith-maintenance-mode/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/yith-maintenance-mode/wordpress-yith-maintenance-mode-plugin-1-3-8-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities",
"refsource": "MISC",
"url": "https://patchstack.com/database/vulnerability/yith-maintenance-mode/wordpress-yith-maintenance-mode-plugin-1-3-8-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 1.4.0 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36845",
"datePublished": "2021-09-27T15:36:56.716Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-03-28T16:49:27.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36841 (GCVE-0-2021-36841)
Vulnerability from cvelistv5 – Published: 2021-09-27 15:35 – Updated: 2025-03-28 16:49
VLAI?
Title
YITH Maintenance Mode (WordPress plugin) <= 1.3.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability.
Summary
Authenticated Stored Cross-Site Scripting (XSS) vulnerability in YITH Maintenance Mode (WordPress plugin) versions <= 1.3.7, vulnerable parameter &yith_maintenance_newsletter_submit_label. Possible even when unfiltered HTML is disallowed by WordPress configuration.
Severity ?
6.9 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YITH | YITH Maintenance Mode (WordPress plugin) |
Affected:
<= 1.3.7 , ≤ 1.3.7
(custom)
|
Date Public ?
2021-09-15 00:00
Credits
Original researcher - Asif Nawaz Minhas (Patchstack Red Team)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:01:59.890Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/yith-maintenance-mode/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/yith-maintenance-mode/wordpress-yith-maintenance-mode-plugin-1-3-7-authenticated-stored-cross-site-scripting-xss-vulnerability"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-36841",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-28T16:49:44.054812Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-28T16:49:47.361Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "YITH Maintenance Mode (WordPress plugin)",
"vendor": "YITH",
"versions": [
{
"lessThanOrEqual": "1.3.7",
"status": "affected",
"version": "\u003c= 1.3.7",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Original researcher - Asif Nawaz Minhas (Patchstack Red Team)"
}
],
"datePublic": "2021-09-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Authenticated Stored Cross-Site Scripting (XSS) vulnerability in YITH Maintenance Mode (WordPress plugin) versions \u003c= 1.3.7, vulnerable parameter \u0026yith_maintenance_newsletter_submit_label. Possible even when unfiltered HTML is disallowed by WordPress configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-27T15:35:11.000Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/yith-maintenance-mode/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://patchstack.com/database/vulnerability/yith-maintenance-mode/wordpress-yith-maintenance-mode-plugin-1-3-7-authenticated-stored-cross-site-scripting-xss-vulnerability"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to 1.3.8 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "YITH Maintenance Mode (WordPress plugin) \u003c= 1.3.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability.",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "audit@patchstack.com",
"DATE_PUBLIC": "2021-09-15T11:59:00.000Z",
"ID": "CVE-2021-36841",
"STATE": "PUBLIC",
"TITLE": "YITH Maintenance Mode (WordPress plugin) \u003c= 1.3.7 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "YITH Maintenance Mode (WordPress plugin)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "\u003c= 1.3.7",
"version_value": "1.3.7"
}
]
}
}
]
},
"vendor_name": "YITH"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Original researcher - Asif Nawaz Minhas (Patchstack Red Team)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Authenticated Stored Cross-Site Scripting (XSS) vulnerability in YITH Maintenance Mode (WordPress plugin) versions \u003c= 1.3.7, vulnerable parameter \u0026yith_maintenance_newsletter_submit_label. Possible even when unfiltered HTML is disallowed by WordPress configuration."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/yith-maintenance-mode/#developers",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/yith-maintenance-mode/#developers"
},
{
"name": "https://patchstack.com/database/vulnerability/yith-maintenance-mode/wordpress-yith-maintenance-mode-plugin-1-3-7-authenticated-stored-cross-site-scripting-xss-vulnerability",
"refsource": "MISC",
"url": "https://patchstack.com/database/vulnerability/yith-maintenance-mode/wordpress-yith-maintenance-mode-plugin-1-3-7-authenticated-stored-cross-site-scripting-xss-vulnerability"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to 1.3.8 or higher version."
}
],
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2021-36841",
"datePublished": "2021-09-27T15:35:11.053Z",
"dateReserved": "2021-07-19T00:00:00.000Z",
"dateUpdated": "2025-03-28T16:49:47.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}