Affected Products

Vendor / product matrix with CVE counts sourced from the CPE catalog.

Export CSV

Products

1 vendor
VendorProductsCVEsKEVAvg EPSSWorst Severity
yithemes
4416030.7%CRITICAL

Related CVEs

16
CVE IDDescriptionSeverityCVSSKEVEPSSPublished
CVE-2024-50448Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through <= 4.14.1.MEDIUM6.121.9%Oct 28, 2024
CVE-2024-7846YITH WooCommerce Ajax Search is vulnerable to a XSS vulnerability due to insufficient sanitization of user supplied block attributes. This makes it possible for Contributors+ attackers to inject arbitrary scripts.MEDIUM5.422.1%Sep 23, 2024
CVE-2024-8665The YITH Custom Login plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.MEDIUM6.136.9%Sep 13, 2024
CVE-2024-6799The YITH Essential Kit for WooCommerce #1 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_module', 'deactivate_module', and 'install_module' functions in all versions up to, and including, 2.34.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install, activate, and deactivate plugins from a pre-defined list of available YITH plugins.MEDIUM4.324.8%Jul 19, 2024
CVE-2024-35680Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through <= 4.9.2.MEDIUM5.324.6%Jun 10, 2024
CVE-2024-30470Missing Authorization vulnerability in YITH YITH WooCommerce Account Funds Premium.This issue affects YITH WooCommerce Account Funds Premium: from n/a through 1.33.0.HIGH8.830.3%Jun 9, 2024
CVE-2024-35698Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YITHEMES YITH WooCommerce Tab Manager yith-woocommerce-tab-manager.This issue affects YITH WooCommerce Tab Manager: from n/a through <= 1.35.0.MEDIUM4.819.6%Jun 8, 2024
CVE-2024-35732Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YITHEMES YITH Custom Login yith-custom-login.This issue affects YITH Custom Login: from n/a through <= 1.7.0.MEDIUM4.819.8%Jun 8, 2024
CVE-2024-4455The YITH WooCommerce Ajax Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘item’ parameter in versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.MEDIUM6.158.7%May 24, 2024
CVE-2023-49777Deserialization of Untrusted Data vulnerability in YITH YITH WooCommerce Product Add-Ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.3.0.HIGH8.848.2%Dec 31, 2023
CVE-2022-45359Unauth. Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards premium plugin <= 3.19.0 on WordPress.CRITICAL9.8Dec 6, 2022
CVE-2022-0818The WooCommerce Affiliate Plugin WordPress plugin before 4.16.4.5 does not have authorization and CSRF checks on a specific action handler, as well as does not sanitize its settings, which enables an unauthenticated attacker to inject malicious XSS payloads into the settings page of the plugin.MEDIUM6.1Mar 28, 2022
CVE-2021-36845Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions <= 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. Vulnerable parameters: 1 - "Newsletter" tab, &yith_maintenance_newsletter_submit_label parameter: payload should start with a single quote (') symbol to break the context, i.e.: NOTIFY ME' autofocus onfocus=alert(/Visse/);// v=' - this payload will be auto triggered while admin visits this page/tab. 2 - "General" tab issues, vulnerable parameters: &yith_maintenance_message, &yith_maintenance_custom_style, &yith_maintenance_mascotte, &yith_maintenance_title_font[size], &yith_maintenance_title_font[family], &yith_maintenance_title_font[color], &yith_maintenance_paragraph_font[size], &yith_maintenance_paragraph_font[family], &yith_maintenance_paragraph_font[color], &yith_maintenance_border_top. 3 - "Background" tab issues, vulnerable parameters: &yith_maintenance_background_image, &yith_maintenance_background_color. 4 - "Logo" tab issues, vulnerable parameters: &yith_maintenance_logo_image, &yith_maintenance_logo_tagline, &yith_maintenance_logo_tagline_font[size], &yith_maintenance_logo_tagline_font[family], &yith_maintenance_logo_tagline_font[color]. 5 - "Newsletter" tab issues, vulnerable parameters: &yith_maintenance_newsletter_email_font[size], &yith_maintenance_newsletter_email_font[family], &yith_maintenance_newsletter_email_font[color], &yith_maintenance_newsletter_submit_font[size], &yith_maintenance_newsletter_submit_font[family], &yith_maintenance_newsletter_submit_font[color], &yith_maintenance_newsletter_submit_background, &yith_maintenance_newsletter_submit_background_hover, &yith_maintenance_newsletter_title, &yith_maintenance_newsletter_action, &yith_maintenance_newsletter_email_label, &yith_maintenance_newsletter_email_name, &yith_maintenance_newsletter_submit_label, &yith_maintenance_newsletter_hidden_fields. 6 - "Socials" tab issues, vulnerable parameters: &yith_maintenance_socials_facebook, &yith_maintenance_socials_twitter, &yith_maintenance_socials_gplus, &yith_maintenance_socials_youtube, &yith_maintenance_socials_rss, &yith_maintenance_socials_skype, &yith_maintenance_socials_email, &yith_maintenance_socials_behance, &yith_maintenance_socials_dribble, &yith_maintenance_socials_flickr, &yith_maintenance_socials_instagram, &yith_maintenance_socials_pinterest, &yith_maintenance_socials_tumblr, &yith_maintenance_socials_linkedin.MEDIUM4.8Sep 27, 2021
CVE-2021-36841Authenticated Stored Cross-Site Scripting (XSS) vulnerability in YITH Maintenance Mode (WordPress plugin) versions <= 1.3.7, vulnerable parameter &yith_maintenance_newsletter_submit_label. Possible even when unfiltered HTML is disallowed by WordPress configuration.MEDIUM5.4Sep 27, 2021
CVE-2019-16251plugin-fw/lib/yit-plugin-panel-wc.php in the YIT Plugin Framework through 3.3.8 for WordPress allows authenticated options changes.MEDIUM4.3Oct 31, 2019
CVE-2015-9429The yith-maintenance-mode plugin before 1.2.0 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=yith-maintenance-mode panel_page parameter.MEDIUM6.5Sep 26, 2019