BEAR < 1.1.4.1 – Authenticated (Shop manager+) Stored Cross-Site Scripting via Plugin Options | CVE 2024-24834 | Plugin Vulnerabilities

Description

The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin options in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

woo-bulk-editor

Fixed in 1.1.4.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/32682598-ad1c-4aa1-bdf2-a7966a4d1dbe

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Mika

Verified

No

WPVDB ID

35933cc0-a0d4-4f3f-9249-7daa2a4e9611

Timeline

Publicly Published

2024-02-02 (about 2 years ago)

Added

2024-02-05 (about 2 years ago)

Last Updated

2024-02-05 (about 2 years ago)

Other

Published

Title

Published

2026-03-16

Title

Jobica Core < 1.4.2 - Reflected Cross-Site Scripting

Published

2025-01-16

Title

MACME <= 1.2 - Reflected Cross-Site Scripting

Published

2025-03-24

Title

Beautiful Link Preview <= 1.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2025-09-22

Title

DELUCKS SEO <= 2.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-09-30

Title

Opal Service <= 1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting