Vulnerabilities > Yithemes > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-09-13 | CVE-2024-8665 | Cross-site Scripting vulnerability in Yithemes Yith Custom Login The YITH Custom Login plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.3. | 6.1 |
| 2024-07-19 | CVE-2024-6799 | Missing Authorization vulnerability in Yithemes Yith Essential KIT for Woocommerce The YITH Essential Kit for WooCommerce #1 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_module', 'deactivate_module', and 'install_module' functions in all versions up to, and including, 2.34.0. | 4.3 |
| 2024-06-10 | CVE-2024-35680 | Injection vulnerability in Yithemes Yith Woocommerce Product Add-Ons Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in YITH YITH WooCommerce Product Add-Ons allows Code Injection.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.9.2. | 5.3 |
| 2024-06-08 | CVE-2024-35698 | Cross-site Scripting vulnerability in Yithemes Yith Woocommerce TAB Manager Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in YITH YITH WooCommerce Tab Manager allows Stored XSS.This issue affects YITH WooCommerce Tab Manager: from n/a through 1.35.0. | 4.8 |
| 2024-06-08 | CVE-2024-35732 | Cross-site Scripting vulnerability in Yithemes Yith Custom Login Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in YITH YITH Custom Login allows Stored XSS.This issue affects YITH Custom Login: from n/a through 1.7.0. | 4.8 |
| 2022-03-28 | CVE-2022-0818 | Cross-site Scripting vulnerability in Yithemes Woocommerce Affiliate The WooCommerce Affiliate Plugin WordPress plugin before 4.16.4.5 does not have authorization and CSRF checks on a specific action handler, as well as does not sanitize its settings, which enables an unauthenticated attacker to inject malicious XSS payloads into the settings page of the plugin. | 4.3 |
| 2019-10-31 | CVE-2019-16251 | Unspecified vulnerability in Yithemes products plugin-fw/lib/yit-plugin-panel-wc.php in the YIT Plugin Framework through 3.3.8 for WordPress allows authenticated options changes. | 4.0 |
| 2019-09-26 | CVE-2015-9429 | Cross-Site Request Forgery (CSRF) vulnerability in Yithemes Yith Maintenance Mode The yith-maintenance-mode plugin before 1.2.0 for WordPress has CSRF with resultant XSS via the wp-admin/themes.php?page=yith-maintenance-mode panel_page parameter. | 4.3 |