Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities by Techspawn
CVE-2026-39546 (GCVE-0-2026-39546)
Vulnerability from cvelistv5 – Published: 2026-06-17 09:50 – Updated: 2026-06-17 12:36
VLAI
Title
WordPress MultiLoca plugin <= 4.2.15 - Privilege Escalation vulnerability
Summary
Subscriber Privilege Escalation in MultiLoca <= 4.2.15 versions.
Severity
7.6 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39546",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T12:36:07.585732Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T12:36:14.140Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woocommerce-multi-locations-inventory-management",
"product": "MultiLoca",
"vendor": "Techspawn",
"versions": [
{
"changes": [
{
"at": "4.2.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.2.15",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Denver Jackson | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Subscriber Privilege Escalation in MultiLoca \u003c= 4.2.15 versions."
}
],
"value": "Subscriber Privilege Escalation in MultiLoca \u003c= 4.2.15 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266 Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T09:50:49.168Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/woocommerce-multi-locations-inventory-management/vulnerability/wordpress-multiloca-plugin-4-2-15-privilege-escalation-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress MultiLoca Plugin to the latest available version (at least 4.2.16)."
}
],
"value": "Update the WordPress MultiLoca Plugin to the latest available version (at least 4.2.16)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress MultiLoca plugin \u003c= 4.2.15 - Privilege Escalation vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-39546",
"datePublished": "2026-06-17T09:50:49.168Z",
"dateReserved": "2026-04-07T10:48:21.621Z",
"dateUpdated": "2026-06-17T12:36:14.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9054 (GCVE-0-2025-9054)
Vulnerability from cvelistv5 – Published: 2025-09-24 11:18 – Updated: 2026-04-08 16:58
VLAI
Title
MultiLoca - WooCommerce Multi Locations Inventory Management <= 4.2.8 - Missing Authorization to Unauthenticated Arbitrary Options Update via 'wcmlim_settings_ajax_handler'
Summary
The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'wcmlim_settings_ajax_handler' function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Techspawn | MultiLoca - WooCommerce Multi Locations Inventory Management |
Affected:
0 , ≤ 4.2.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9054",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-24T13:01:32.825316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-24T13:01:40.050Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MultiLoca - WooCommerce Multi Locations Inventory Management",
"vendor": "Techspawn",
"versions": [
{
"lessThanOrEqual": "4.2.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Th\u00e1i An"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the \u0027wcmlim_settings_ajax_handler\u0027 function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:58:46.200Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6a04e6ad-9365-4cb5-a0a0-82e047647d6b?source=cve"
},
{
"url": "https://codecanyon.net/item/woocommerce-multi-locations-inventory-management/28949586#item-description__changelog"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-08T17:18:04.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-23T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "MultiLoca - WooCommerce Multi Locations Inventory Management \u003c= 4.2.8 - Missing Authorization to Unauthenticated Arbitrary Options Update via \u0027wcmlim_settings_ajax_handler\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-9054",
"datePublished": "2025-09-24T11:18:32.303Z",
"dateReserved": "2025-08-14T23:35:02.860Z",
"dateUpdated": "2026-04-08T16:58:46.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31056 (GCVE-0-2025-31056)
Vulnerability from cvelistv5 – Published: 2025-05-23 12:44 – Updated: 2026-04-28 16:12
VLAI
Title
WordPress WhatsCart plugin <= 1.1.0 - SQL Injection vulnerability
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Techspawn WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce WhatsCart-for-WooCommerce allows SQL Injection.This issue affects WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce: from n/a through <= 1.1.0.
Severity
9.3 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Techspawn | WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce |
Affected:
0 , ≤ 1.1.0
(custom)
|
Date Public
2026-04-01 16:36
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31056",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-23T13:20:46.387277Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T13:20:50.980Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "WhatsCart-for-WooCommerce",
"product": "WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce",
"vendor": "Techspawn",
"versions": [
{
"lessThanOrEqual": "1.1.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:36:46.386Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Techspawn WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce WhatsCart-for-WooCommerce allows SQL Injection.\u003cp\u003eThis issue affects WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce: from n/a through \u003c= 1.1.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Techspawn WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce WhatsCart-for-WooCommerce allows SQL Injection.This issue affects WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce: from n/a through \u003c= 1.1.0."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:12:04.362Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/WhatsCart-for-WooCommerce/vulnerability/wordpress-whatscart-plugin-1-1-0-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress WhatsCart plugin \u003c= 1.1.0 - SQL Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-31056",
"datePublished": "2025-05-23T12:44:09.140Z",
"dateReserved": "2025-03-26T09:23:42.946Z",
"dateUpdated": "2026-04-28T16:12:04.362Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-22639 (GCVE-0-2025-22639)
Vulnerability from cvelistv5 – Published: 2025-02-18 19:54 – Updated: 2026-04-28 16:11
VLAI
Title
WordPress Distance Rate Shipping for WooCommerce plugin <= 1.3.4 - SQL Injection vulnerability
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Techspawn Distance Rate Shipping for WooCommerce distance-rate-shipping-for-woocommerce-pro allows Blind SQL Injection.This issue affects Distance Rate Shipping for WooCommerce: from n/a through <= 1.3.4.
Severity
8.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Techspawn | Distance Rate Shipping for WooCommerce |
Affected:
0 , ≤ 1.3.4
(custom)
|
Date Public
2026-04-01 16:31
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22639",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T20:21:43.197840Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T20:21:55.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://codecanyon.net",
"defaultStatus": "unaffected",
"packageName": "distance-rate-shipping-for-woocommerce-pro",
"product": "Distance Rate Shipping for WooCommerce",
"vendor": "Techspawn",
"versions": [
{
"lessThanOrEqual": "1.3.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aiden | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:31:43.015Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Techspawn Distance Rate Shipping for WooCommerce distance-rate-shipping-for-woocommerce-pro allows Blind SQL Injection.\u003cp\u003eThis issue affects Distance Rate Shipping for WooCommerce: from n/a through \u003c= 1.3.4.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Techspawn Distance Rate Shipping for WooCommerce distance-rate-shipping-for-woocommerce-pro allows Blind SQL Injection.This issue affects Distance Rate Shipping for WooCommerce: from n/a through \u003c= 1.3.4."
}
],
"impacts": [
{
"capecId": "CAPEC-7",
"descriptions": [
{
"lang": "en",
"value": "Blind SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:02.859Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/distance-rate-shipping-for-woocommerce-pro/vulnerability/wordpress-distance-rate-shipping-for-woocommerce-plugin-1-3-4-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress Distance Rate Shipping for WooCommerce plugin \u003c= 1.3.4 - SQL Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-22639",
"datePublished": "2025-02-18T19:54:27.732Z",
"dateReserved": "2025-01-07T21:02:36.080Z",
"dateUpdated": "2026-04-28T16:11:02.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-13341 (GCVE-0-2024-13341)
Vulnerability from cvelistv5 – Published: 2025-02-01 06:41 – Updated: 2026-04-08 17:05
VLAI
Title
MultiLoca - WooCommerce Multi Locations Inventory Management <= 4.1.11 - Authenticated (Subscriber+) SQL Injection
Summary
The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to SQL Injection via the 'data-id' parameter in all versions up to, and including, 4.1.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Techspawn | MultiLoca - WooCommerce Multi Locations Inventory Management |
Affected:
0 , ≤ 4.1.11
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13341",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T16:07:53.498566Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T16:37:46.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MultiLoca - WooCommerce Multi Locations Inventory Management",
"vendor": "Techspawn",
"versions": [
{
"lessThanOrEqual": "4.1.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Th\u00e1i An"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to SQL Injection via the \u0027data-id\u0027 parameter in all versions up to, and including, 4.1.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:05:51.982Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8bb172cc-b7a6-401d-a246-1918702d654d?source=cve"
},
{
"url": "https://codecanyon.net/item/woocommerce-multi-locations-inventory-management/28949586"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-31T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "MultiLoca - WooCommerce Multi Locations Inventory Management \u003c= 4.1.11 - Authenticated (Subscriber+) SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13341",
"datePublished": "2025-02-01T06:41:50.837Z",
"dateReserved": "2025-01-10T19:46:02.930Z",
"dateUpdated": "2026-04-08T17:05:51.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-24959 (GCVE-0-2021-24959)
Vulnerability from cvelistv5 – Published: 2022-03-14 14:41 – Updated: 2024-08-03 19:49
VLAI
Title
WP Email Users <= 1.7.6 - Subscriber+ SQL Injection
Summary
The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks.
Severity
No CVSS data available.
CWE
- CWE-89 - SQL Injection
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://wpscan.com/vulnerability/0471d2e2-e759-46… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Unknown | WP Email Users |
Affected:
1.7.6 , ≤ 1.7.6
(custom)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:49:13.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/0471d2e2-e759-468f-becd-0b062f00b435"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WP Email Users",
"vendor": "Unknown",
"versions": [
{
"lessThanOrEqual": "1.7.6",
"status": "affected",
"version": "1.7.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-14T14:41:05.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/0471d2e2-e759-468f-becd-0b062f00b435"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WP Email Users \u003c= 1.7.6 - Subscriber+ SQL Injection",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24959",
"STATE": "PUBLIC",
"TITLE": "WP Email Users \u003c= 1.7.6 - Subscriber+ SQL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WP Email Users",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "1.7.6",
"version_value": "1.7.6"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Krzysztof Zaj\u0105c"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The WP Email Users WordPress plugin through 1.7.6 does not escape the data_raw parameter in the weu_selected_users_1 AJAX action, available to any authenticated users, allowing them to perform SQL injection attacks."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/0471d2e2-e759-468f-becd-0b062f00b435",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/0471d2e2-e759-468f-becd-0b062f00b435"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24959",
"datePublished": "2022-03-14T14:41:05.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:49:13.934Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}