CVE-2024-35728 - OpenCVE

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Themeisle PPOM for WooCommerce allows Code Inclusion.This issue affects PPOM for WooCommerce: from n/a through 32.0.20.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Themeisle	Product Addons \& Fields For Woocommerce

Configuration 1 [-]

cpe:2.3:a:themeisle:product_addons_\&_fields_for_woocommerce:*:*:*:*:*:wordpress:*:*

References

Link	Resource
https://patchstack.com/database/vulnerability/woocommerce-product-addon/wordpress-product-addons-fields-for-woocommerce-plugin-32-0-20-content-injection-vulnerability?_s_id=cve	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Patchstack

Published: 2024-06-10T16:21:23.582Z

Updated: 2024-06-10T18:40:08.653Z

Reserved: 2024-05-17T10:09:46.004Z

Link: CVE-2024-35728

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-06-10T17:16:29.810

Modified: 2024-06-12T17:43:24.173

Link: CVE-2024-35728

JSON object: View

Redhat Information

No data.

CWE

CWE-74

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-35728", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2024-05-17T10:09:46.004Z", "datePublished": "2024-06-10T16:21:23.582Z", "dateUpdated": "2024-06-10T18:40:08.653Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "woocommerce-product-addon", "product": "PPOM for WooCommerce", "vendor": "Themeisle", "versions": [{"changes": [{"at": "32.0.21", "status": "unaffected"}], "lessThanOrEqual": "32.0.20", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Savphill (Patchstack Alliance)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Themeisle PPOM for WooCommerce allows Code Inclusion.<p>This issue affects PPOM for WooCommerce: from n/a through 32.0.20.</p>"}], "value": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Themeisle PPOM for WooCommerce allows Code Inclusion.This issue affects PPOM for WooCommerce: from n/a through 32.0.20."}], "impacts": [{"capecId": "CAPEC-175", "descriptions": [{"lang": "en", "value": "CAPEC-175 Code Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-74", "description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2024-06-10T16:21:23.582Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/vulnerability/woocommerce-product-addon/wordpress-product-addons-fields-for-woocommerce-plugin-32-0-20-content-injection-vulnerability?_s_id=cve"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to 32.0.21 or a higher version."}], "value": "Update to 32.0.21 or a higher version."}], "source": {"discovery": "EXTERNAL"}, "title": "WordPress Product Addons & Fields for WooCommerce plugin <= 32.0.20 - Content Injection vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-10T18:40:00.848703Z", "id": "CVE-2024-35728", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-10T18:40:08.653Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themeisle:product_addons_\\&_fields_for_woocommerce:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "D530ADA6-2BF1-463C-A57E-D4FAA83A59A5", "versionEndExcluding": "32.0.21", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Themeisle PPOM for WooCommerce allows Code Inclusion.This issue affects PPOM for WooCommerce: from n/a through 32.0.20."}, {"lang": "es", "value": "La neutralizaci\u00f3n inadecuada de elementos especiales en la salida utilizada por una vulnerabilidad de componente posterior (\"inyecci\u00f3n\") en Themeisle PPOM para WooCommerce permite la inclusi\u00f3n de c\u00f3digo. Este problema afecta a PPOM para WooCommerce: desde n/a hasta 32.0.20."}], "id": "CVE-2024-35728", "lastModified": "2024-06-12T17:43:24.173", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2024-06-10T17:16:29.810", "references": [{"source": "audit@patchstack.com", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/woocommerce-product-addon/wordpress-product-addons-fields-for-woocommerce-plugin-32-0-20-content-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "audit@patchstack.com", "type": "Primary"}]}