WordPress Plugin Vulnerabilities

NS WooCommerce Watermark <= 2.11.3 - Abuse of Functionality

Description

An unprivileged user could use the functionality of the plugin to load images that hide malware for example from passing malicious domains to hide their trace, by making them pass through the vulnerable domain.

Proof of Concept

Affects Plugins

Plugin icon
ns-woocommerce-watermark
No known fix

References

CVE
CVE-2022-0989

Classification

Type
CONTENT INJECTION
OWASP top 10
A1: Injection
CWE
CWE-345
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Felipe Restrepo Rodríguez
Submitter
Felipe Restrepo Rodríguez
Submitter website
https://www.pfelilpe.com
Submitter twitter
Pfelilpe
Verified
Yes
WPVDB ID
a6bfc150-8e3f-4b2d-a6e1-09406af41dd4

Timeline

Publicly Published
2022-03-15 (about 3 years ago)
Added
2022-03-15 (about 3 years ago)
Last Updated
2022-04-09 (about 3 years ago)

Other

Published
Title
Published
2023-12-27
Title
Booster Elite for WooCommerce < 7.1.3 - Subscriber+ Content Injection
Published
2024-06-27
Title
WooCommerce < 9.0.0 - Shop Manager+ Content Injection
Published
2024-04-22
Title
Pricing Table by Supsystic < 1.9.13 - Admin+ Content Injection
Published
2021-07-12
Title
Frontend File Manager < 18.3 - Unauthenticated HTML Injection
Published
2023-10-03
Title
WP Content Pilot – Autoblogging & Affiliate Marketing Plugin < 1.3.4 - Authenticated (Contributor+) Content Injection