WordPress Plugin Vulnerabilities

PPOM for WooCommerce < 32.0.21 - Unauthenticated Content Injection Vulnerability

Description

The Product Addons & Fields for WooCommerce plugin for WordPress is vulnerable to Content Injection in all versions up to, and including, 32.0.20. This is due to the plugin not properly validating a field that can be updated. This makes it possible for unauthenticated attackers to inject arbitrary content.

Affects Plugins

Plugin icon
woocommerce-product-addon
Fixed in 32.0.21

References

CVE
CVE-2024-35728
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/325813f3-c893-4e98-ad99-452ff63d5e18

Classification

Type
CONTENT INJECTION
OWASP top 10
A1: Injection
CWE
CWE-345
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Phill Sav (Savphill)
Verified
No
WPVDB ID
600cbfa7-2114-4bbe-84a4-2c4622465999

Timeline

Publicly Published
2024-06-06 (about 2 years ago)
Added
2024-06-14 (about 2 years ago)
Last Updated
2024-06-14 (about 2 years ago)

Other

Published
Title
Published
2026-02-17
Title
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login < 6.0.7.0 - Unauthenticated Payment Bypass via rm_process_paypal_sdk_payment
Published
2024-06-27
Title
WooCommerce < 9.0.0 - Shop Manager+ Content Injection
Published
2024-06-03
Title
Claudio Sanches – Checkout Cielo for WooCommerce <= 1.1.0 - Insufficient Verification of Data Authenticity to Order Payment Status Update
Published
2024-06-06
Title
YITH WooCommerce Product Add-Ons < 4.9.3 - Unauthenticated Content Injection
Published
2022-11-29
Title
Quiz and Survey Master < 8.0.5 - Improper Input Validation