MidnightBSD

Advisories for multidots

CVE-2018-11485 MEDIUM

The MULTIDOTS WooCommerce Quick Reports plugin 1.0.6 and earlier for WordPress is vulnerable to Stored XSS. It allows an attacker to inject malicious JavaScript code on the WooCommerce -> Orders admin page. The attack is possible by modifying the "referral_site" cookie to have an XSS payload, and placing an order.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
multidots woocommerce_quick_reports *
CVE-2018-11486 MEDIUM

An issue was discovered in the MULTIDOTS Advance Search for WooCommerce plugin 1.0.9 and earlier for WordPress. This plugin is vulnerable to a stored Cross-site scripting (XSS) vulnerability. A non-authenticated user can save the plugin settings and inject malicious JavaScript code in the Custom CSS textarea field, which will be loaded on every site page.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
multidots advance_search_for_woocommerce *
CVE-2018-11579 MEDIUM

class-woo-banner-management.php in the MULTIDOTS WooCommerce Category Banner Management plugin 1.1.0 for WordPress has an Unauthenticated Settings Change Vulnerability, related to certain wp_ajax_nopriv_ usage. Anyone can change the plugin's setting by simply sending a request with a wbm_save_shop_page_banner_data action.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
multidots woocommerce_category_banner_management 1.1.0
CVE-2018-11580 LOW

An issue was discovered in mass-pages-posts-creator.php in the MULTIDOTS Mass Pages/Posts Creator plugin 1.2.2 for WordPress. Any logged in user can launch Mass Pages/Posts creation with custom content. There is no nonce or user capability check, so anyone can launch a DoS attack against a site and create hundreds of thousands of posts with custom content.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
multidots mass_pages/posts_creator 1.2.2
CVE-2018-11632 MEDIUM

An issue was discovered in the MULTIDOTS Add Social Share Messenger Buttons Whatsapp and Viber plugin 1.0.8 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings via wp-admin/admin-post.php CSRF. There's no nonce or capability check in the whatsapp_share_setting_add_update() function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
multidots add_social_share_messenger_buttons_whatsapp_and_viber 1.0.8
CVE-2018-11633 MEDIUM

An issue was discovered in the MULTIDOTS Woo Checkout for Digital Goods plugin 2.1 for WordPress. If an admin user can be tricked into visiting a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings. The function woo_checkout_settings_page in the file class-woo-checkout-for-digital-goods-admin.php doesn't do any check against wp-admin/admin-post.php Cross-site request forgery (CSRF) and user capabilities.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
multidots woo_checkout_for_digital_goods 2.1
CVE-2023-39158

Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Banner Management For WooCommerce plugin <= 2.4.2 versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
audit@patchstack.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

Products Affected

Vendor Product Version
multidots banner_management_for_woocommerce *
CVE-2023-39159

Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Fraud Prevention For Woocommerce plugin <= 2.1.5 versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6
audit@patchstack.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
multidots fraud_prevention_for_woocommerce *
CVE-2023-40212

Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Product Attachment for WooCommerce plugin <= 2.1.8 versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6
audit@patchstack.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
multidots product_attachment_for_woocommerce *
CVE-2023-40559

Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Dynamic Pricing and Discount Rules for WooCommerce plugin <= 2.4.0 versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
audit@patchstack.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
multidots dynamic_pricing_and_discount_rules_for_woocommerce *
CVE-2023-40561

Cross-Site Request Forgery (CSRF) vulnerability in theDotstore Enhanced Ecommerce Google Analytics for WooCommerce plugin <= 3.7.1 versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
audit@patchstack.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L 2.8 2.5
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
multidots enhanced_ecommerce_google_analytics_for_woocommerce *
CVE-2025-46244

Missing Authorization vulnerability in Dotstore Advanced Linked Variations for Woocommerce linked-variation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Linked Variations for Woocommerce: from n/a through <= 1.0.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
audit@patchstack.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
multidots advanced_linked_variations_for_woocommerce *