Sixteen XforWooCommerce Add-On Plugins for WordPress are vulnerable to authorization bypass due to a missing capability check on the wp_ajax_svx_ajax_factory function in various versions listed below. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to read, edit, or delete WordPress settings, plugin settings, and to arbitrarily list all users on a WordPress website. The plugins impacted are: Product Filter for WooCommerce < 8.2.0, Improved Product Options for WooCommerce < 5.3.0, Improved Sale Badges for WooCommerce < 4.4.0, Share, Print and PDF Products for WooCommerce < 2.8.0, Product Loops for WooCommerce < 1.7.0, XforWooCommerce < 1.7.0, Package Quantity Discount < 1.2.0, Price Commander for WooCommerce < 1.3.0, Comment and Review Spam Control for WooCommerce < 1.5.0, Add Product Tabs for WooCommerce < 1.5.0, Autopilot SEO for WooCommerce < 1.6.0, Floating Cart < 1.3.0, Live Search for WooCommerce < 2.1.0, Bulk Add to Cart for WooCommerce < 1.3.0, Live Product Editor for WooCommerce < 4.7.0, and Warranties and Returns for WooCommerce < 5.3.0.
Category Archives: Advisories
CVE-2021-4379
The WooCommerce Multi Currency plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wmc_bulk_fixed_price function in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to make changes to product prices.
CVE-2021-4380
The Pinterest Automatic plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the ‘wp_pinterest_automatic_parse_request’ function and the ‘process_form.php’ script in versions up to, and including, 1.14.3. This makes it possible for unauthenticated attackers to update arbitrary options on a site that can be used to create new administrative user accounts or redirect unsuspecting site visitors.
python3.7-3.7.16-4.fc39
FEDORA-2023-75c4fc87fc
Packages in this update:
python3.7-3.7.16-4.fc39
Update description:
Automatic update for python3.7-3.7.16-4.fc39.
Changelog
* Mon May 29 2023 Charalampos Stratakis <cstratak@redhat.com> – 3.7.16-4
– Fix for CVE-2023-24329
Resolves: rhbz#2174014
syncthing-1.23.5-1.el8
FEDORA-EPEL-2023-e14003b86d
Packages in this update:
syncthing-1.23.5-1.el8
Update description:
Update to version 1.23.5. Addresses CVE-2022-46165.
syncthing-1.23.5-1.el9
FEDORA-EPEL-2023-a1ed86449c
Packages in this update:
syncthing-1.23.5-1.el9
Update description:
Update to version 1.23.5. Addresses CVE-2022-46165.
syncthing-1.23.5-1.fc37
FEDORA-2023-bf86df7ee8
Packages in this update:
syncthing-1.23.5-1.fc37
Update description:
Update to version 1.23.5. Addresses CVE-2022-46165.
syncthing-1.23.5-1.fc38
FEDORA-2023-39eb10ec3c
Packages in this update:
syncthing-1.23.5-1.fc38
Update description:
Update to version 1.23.5. Addresses CVE-2022-46165.
perl-HTML-StripScripts-1.06-22.fc38
FEDORA-2023-a42aa9700f
Packages in this update:
perl-HTML-StripScripts-1.06-22.fc38
Update description:
Fixes CVE-2023-24038
perl-HTML-StripScripts-1.06-22.fc37
FEDORA-2023-6f16e3bcee
Packages in this update:
perl-HTML-StripScripts-1.06-22.fc37
Update description:
Fixes CVE-2023-24038