Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities by woocommerce-filter
CVE-2018-8711 (GCVE-0-2018-8711)
Vulnerability from cvelistv5 – Published: 2018-03-14 19:00 – Updated: 2024-09-17 02:06
VLAI
EPSS
VEX
Summary
A local file inclusion issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The vulnerability is due to the lack of args/input validation on render_html before allowing it to be called by extract(), a PHP built-in function. Because of this, the supplied args/input can be used to overwrite the $pagepath variable, which then could lead to a local file inclusion attack.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/woocommerce-product… | x_refsource_MISC |
| https://sec-consult.com/en/blog/advisories/arbitr… | x_refsource_MISC |
| https://www.woocommerce-filter.com/update-woocomm… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:02:25.972Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/woocommerce-products-filter/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A local file inclusion issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The vulnerability is due to the lack of args/input validation on render_html before allowing it to be called by extract(), a PHP built-in function. Because of this, the supplied args/input can be used to overwrite the $pagepath variable, which then could lead to a local file inclusion attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-14T19:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/woocommerce-products-filter/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-8711",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A local file inclusion issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The vulnerability is due to the lack of args/input validation on render_html before allowing it to be called by extract(), a PHP built-in function. Because of this, the supplied args/input can be used to overwrite the $pagepath variable, which then could lead to a local file inclusion attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/woocommerce-products-filter/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/woocommerce-products-filter/#developers"
},
{
"name": "https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html",
"refsource": "MISC",
"url": "https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html"
},
{
"name": "https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/",
"refsource": "MISC",
"url": "https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-8711",
"datePublished": "2018-03-14T19:00:00.000Z",
"dateReserved": "2018-03-14T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:06:59.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-8710 (GCVE-0-2018-8710)
Vulnerability from cvelistv5 – Published: 2018-03-14 19:00 – Updated: 2024-09-16 16:27
VLAI
EPSS
VEX
Summary
A remote code execution issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The plugin implemented a page redraw AJAX function accessible to anyone without any authentication. WordPress shortcode markup in the "shortcode" parameters would be evaluated. Normally unauthenticated users can't evaluate shortcodes as they are often sensitive.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/woocommerce-product… | x_refsource_MISC |
| https://sec-consult.com/en/blog/advisories/arbitr… | x_refsource_MISC |
| https://www.woocommerce-filter.com/update-woocomm… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:02:25.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/woocommerce-products-filter/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote code execution issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The plugin implemented a page redraw AJAX function accessible to anyone without any authentication. WordPress shortcode markup in the \"shortcode\" parameters would be evaluated. Normally unauthenticated users can\u0027t evaluate shortcodes as they are often sensitive."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-14T19:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/woocommerce-products-filter/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-8710",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote code execution issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The plugin implemented a page redraw AJAX function accessible to anyone without any authentication. WordPress shortcode markup in the \"shortcode\" parameters would be evaluated. Normally unauthenticated users can\u0027t evaluate shortcodes as they are often sensitive."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/woocommerce-products-filter/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/woocommerce-products-filter/#developers"
},
{
"name": "https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html",
"refsource": "MISC",
"url": "https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html"
},
{
"name": "https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/",
"refsource": "MISC",
"url": "https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-8710",
"datePublished": "2018-03-14T19:00:00.000Z",
"dateReserved": "2018-03-14T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:27:32.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-8711 (GCVE-0-2018-8711)
Vulnerability from nvd – Published: 2018-03-14 19:00 – Updated: 2024-09-17 02:06
VLAI
EPSS
VEX
Summary
A local file inclusion issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The vulnerability is due to the lack of args/input validation on render_html before allowing it to be called by extract(), a PHP built-in function. Because of this, the supplied args/input can be used to overwrite the $pagepath variable, which then could lead to a local file inclusion attack.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/woocommerce-product… | x_refsource_MISC |
| https://sec-consult.com/en/blog/advisories/arbitr… | x_refsource_MISC |
| https://www.woocommerce-filter.com/update-woocomm… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:02:25.972Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/woocommerce-products-filter/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A local file inclusion issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The vulnerability is due to the lack of args/input validation on render_html before allowing it to be called by extract(), a PHP built-in function. Because of this, the supplied args/input can be used to overwrite the $pagepath variable, which then could lead to a local file inclusion attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-14T19:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/woocommerce-products-filter/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-8711",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A local file inclusion issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The vulnerability is due to the lack of args/input validation on render_html before allowing it to be called by extract(), a PHP built-in function. Because of this, the supplied args/input can be used to overwrite the $pagepath variable, which then could lead to a local file inclusion attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/woocommerce-products-filter/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/woocommerce-products-filter/#developers"
},
{
"name": "https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html",
"refsource": "MISC",
"url": "https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html"
},
{
"name": "https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/",
"refsource": "MISC",
"url": "https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-8711",
"datePublished": "2018-03-14T19:00:00.000Z",
"dateReserved": "2018-03-14T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:06:59.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-8710 (GCVE-0-2018-8710)
Vulnerability from nvd – Published: 2018-03-14 19:00 – Updated: 2024-09-16 16:27
VLAI
EPSS
VEX
Summary
A remote code execution issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The plugin implemented a page redraw AJAX function accessible to anyone without any authentication. WordPress shortcode markup in the "shortcode" parameters would be evaluated. Normally unauthenticated users can't evaluate shortcodes as they are often sensitive.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://wordpress.org/plugins/woocommerce-product… | x_refsource_MISC |
| https://sec-consult.com/en/blog/advisories/arbitr… | x_refsource_MISC |
| https://www.woocommerce-filter.com/update-woocomm… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:02:25.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/woocommerce-products-filter/#developers"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A remote code execution issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The plugin implemented a page redraw AJAX function accessible to anyone without any authentication. WordPress shortcode markup in the \"shortcode\" parameters would be evaluated. Normally unauthenticated users can\u0027t evaluate shortcodes as they are often sensitive."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-14T19:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/woocommerce-products-filter/#developers"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-8710",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A remote code execution issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The plugin implemented a page redraw AJAX function accessible to anyone without any authentication. WordPress shortcode markup in the \"shortcode\" parameters would be evaluated. Normally unauthenticated users can\u0027t evaluate shortcodes as they are often sensitive."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/woocommerce-products-filter/#developers",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/woocommerce-products-filter/#developers"
},
{
"name": "https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html",
"refsource": "MISC",
"url": "https://sec-consult.com/en/blog/advisories/arbitrary-shortcode-execution-local-file-inclusion-in-woof-pluginus-net/index.html"
},
{
"name": "https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/",
"refsource": "MISC",
"url": "https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-8710",
"datePublished": "2018-03-14T19:00:00.000Z",
"dateReserved": "2018-03-14T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:27:32.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}