Vulnerabilities (CVE)

Filtered by vendor Xootix Subscribe
Total 5 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-28415 1 Xootix 1 Side Cart Woocommerce 2023-12-10 N/A 4.8 MEDIUM
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in XootiX Side Cart Woocommerce (Ajax) plugin <= 2.2 versions.
CVE-2023-2706 1 Xootix 1 Otp Login Woocommerce \& Gravity Forms 2023-12-10 N/A 8.1 HIGH
The OTP Login Woocommerce & Gravity Forms plugin for WordPress is vulnerable to authentication bypass. This is due to the fact that when generating OTP codes for users to use in order to login via phone number, the plugin returns these codes in an AJAX response. This makes it possible for unauthenticated attackers to obtain login codes for administrators. This does require an attacker have access to the phone number configured for an account, which can be obtained via social engineering or reconnaissance.
CVE-2022-45376 1 Xootix 1 Side Cart Woocommerce 2023-12-10 N/A 8.8 HIGH
Cross-Site Request Forgery (CSRF) vulnerability in XootiX Side Cart Woocommerce (Ajax) < 2.1 versions.
CVE-2020-36715 1 Xootix 1 Login\/signup Popup 2023-12-10 N/A 4.6 MEDIUM
The Login/Signup Popup plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on several functions in versions up to, and including, 1.4. This makes it possible for authenticated attackers to inject arbitrary web scripts into the plugin settings that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2022-0215 1 Xootix 3 Login\/signup Popup, Side Cart Woocommerce, Waitlist Woocommerce 2023-12-10 6.8 MEDIUM 8.8 HIGH
The Login/Signup Popup, Waitlist Woocommerce ( Back in stock notifier ), and Side Cart Woocommerce (Ajax) WordPress plugins by XootiX are vulnerable to Cross-Site Request Forgery via the save_settings function found in the ~/includes/xoo-framework/admin/class-xoo-admin-settings.php file which makes it possible for attackers to update arbitrary options on a site that can be used to create an administrative user account and grant full privileged access to a compromised site. This affects versions <= 2.2 in Login/Signup Popup, versions <= 2.5.1 in Waitlist Woocommerce ( Back in stock notifier ), and versions <= 2.0 in Side Cart Woocommerce (Ajax).