Refine your search
4 vulnerabilities found for Product Carousel Slider & Grid Ultimate for WooCommerce by wpWax
CVE-2025-24681 (GCVE-0-2025-24681)
Vulnerability from cvelistv5
Published
2025-01-24 17:24
Modified
2026-04-28 16:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWax Product Carousel Slider & Grid Ultimate for WooCommerce woo-product-carousel-slider-and-grid-ultimate allows Stored XSS.This issue affects Product Carousel Slider & Grid Ultimate for WooCommerce: from n/a through <= 1.10.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpWax | Product Carousel Slider & Grid Ultimate for WooCommerce |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24681",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-24T18:45:38.575662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T18:55:38.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woo-product-carousel-slider-and-grid-ultimate",
"product": "Product Carousel Slider \u0026 Grid Ultimate for WooCommerce",
"vendor": "wpWax",
"versions": [
{
"changes": [
{
"at": "1.10.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.10.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Damanpreet Singh | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:34:34.984Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in wpWax Product Carousel Slider \u0026 Grid Ultimate for WooCommerce woo-product-carousel-slider-and-grid-ultimate allows Stored XSS.\u003cp\u003eThis issue affects Product Carousel Slider \u0026 Grid Ultimate for WooCommerce: from n/a through \u003c= 1.10.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in wpWax Product Carousel Slider \u0026 Grid Ultimate for WooCommerce woo-product-carousel-slider-and-grid-ultimate allows Stored XSS.This issue affects Product Carousel Slider \u0026 Grid Ultimate for WooCommerce: from n/a through \u003c= 1.10.0."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:32.080Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/woo-product-carousel-slider-and-grid-ultimate/vulnerability/wordpress-product-carousel-slider-grid-ultimate-for-woocommerce-plugin-1-10-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Product Carousel Slider \u0026 Grid Ultimate for WooCommerce Plugin \u003c= 1.10.0 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-24681",
"datePublished": "2025-01-24T17:24:54.277Z",
"dateReserved": "2025-01-23T14:52:05.567Z",
"dateUpdated": "2026-04-28T16:11:32.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12040 (GCVE-0-2024-12040)
Vulnerability from cvelistv5
Published
2024-12-12 05:24
Modified
2026-04-08 16:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Summary
The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.10 via the 'theme' attribute of the `wcpcsu` shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpwax | Product Carousel Slider & Grid Ultimate for WooCommerce |
Version: 0 ≤ 1.9.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12040",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T14:55:16.998971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T14:55:31.852Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Product Carousel Slider \u0026 Grid Ultimate for WooCommerce",
"vendor": "wpwax",
"versions": [
{
"lessThanOrEqual": "1.9.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Product Carousel Slider \u0026 Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.10 via the \u0027theme\u0027 attribute of the `wcpcsu` shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:38:26.954Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c22de8c-e6e1-4b85-8d9f-619e9f63129e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3203986/woo-product-carousel-slider-and-grid-ultimate/tags/1.10.0/includes/classes/class-shortcode.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-11T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Product Carousel Slider \u0026 Grid Ultimate for WooCommerce \u003c= 1.9.10 - Authenticated (Contributor+) Local File Inclusion via \u0027theme\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12040",
"datePublished": "2024-12-12T05:24:19.745Z",
"dateReserved": "2024-12-02T17:15:51.180Z",
"dateUpdated": "2026-04-08T16:38:26.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-44048 (GCVE-0-2024-44048)
Vulnerability from cvelistv5
Published
2024-09-23 00:03
Modified
2026-04-28 16:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpWax Product Carousel Slider & Grid Ultimate for WooCommerce woo-product-carousel-slider-and-grid-ultimate.This issue affects Product Carousel Slider & Grid Ultimate for WooCommerce: from n/a through <= 1.9.10.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpWax | Product Carousel Slider & Grid Ultimate for WooCommerce |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-44048",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-23T14:23:07.997766Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-23T14:23:14.966Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woo-product-carousel-slider-and-grid-ultimate",
"product": "Product Carousel Slider \u0026 Grid Ultimate for WooCommerce",
"vendor": "wpWax",
"versions": [
{
"changes": [
{
"at": "1.10.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.9.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:27:44.707Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in wpWax Product Carousel Slider \u0026 Grid Ultimate for WooCommerce woo-product-carousel-slider-and-grid-ultimate.\u003cp\u003eThis issue affects Product Carousel Slider \u0026 Grid Ultimate for WooCommerce: from n/a through \u003c= 1.9.10.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in wpWax Product Carousel Slider \u0026 Grid Ultimate for WooCommerce woo-product-carousel-slider-and-grid-ultimate.This issue affects Product Carousel Slider \u0026 Grid Ultimate for WooCommerce: from n/a through \u003c= 1.9.10."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:17.054Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/woo-product-carousel-slider-and-grid-ultimate/vulnerability/wordpress-product-carousel-slider-grid-ultimate-for-woocommerce-plugin-1-9-10-authenticated-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"title": "WordPress Product Carousel Slider \u0026 Grid Ultimate for WooCommerce plugin \u003c= 1.9.10 - Authenticated Local File Inclusion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-44048",
"datePublished": "2024-09-23T00:03:59.344Z",
"dateReserved": "2024-08-18T21:58:39.892Z",
"dateUpdated": "2026-04-28T16:10:17.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-1950 (GCVE-0-2024-1950)
Vulnerability from cvelistv5
Published
2024-03-13 15:27
Modified
2026-04-08 17:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input via shortcode. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpwax | Product Carousel Slider & Grid Ultimate for WooCommerce |
Version: 0 ≤ 1.9.7 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:56:22.304Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ed8636bf-229a-42a5-a19c-332679613dd2?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/woo-product-carousel-slider-and-grid-ultimate/tags/1.9.7/includes/classes/class-shortcode.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/woo-product-carousel-slider-and-grid-ultimate/tags/1.9.7/includes/classes/class-meta-box.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/woo-product-carousel-slider-and-grid-ultimate/tags/1.9.7\u0026old=3045923\u0026new_path=/woo-product-carousel-slider-and-grid-ultimate/tags/1.9.8\u0026new=3045923\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpwax:product_carosel_slider_\\\u0026_grid_ultimate:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "product_carosel_slider_\\\u0026_grid_ultimate",
"vendor": "wpwax",
"versions": [
{
"lessThanOrEqual": "1.9.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-1950",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T18:39:12.857999Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-09T20:43:05.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Product Carousel Slider \u0026 Grid Ultimate for WooCommerce",
"vendor": "wpwax",
"versions": [
{
"lessThanOrEqual": "1.9.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Francesco Carlucci"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Product Carousel Slider \u0026 Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input via shortcode. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:31:37.718Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ed8636bf-229a-42a5-a19c-332679613dd2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-product-carousel-slider-and-grid-ultimate/tags/1.9.7/includes/classes/class-shortcode.php"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-product-carousel-slider-and-grid-ultimate/tags/1.9.7/includes/classes/class-meta-box.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/woo-product-carousel-slider-and-grid-ultimate/tags/1.9.7\u0026old=3045923\u0026new_path=/woo-product-carousel-slider-and-grid-ultimate/tags/1.9.8\u0026new=3045923\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-05T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Product Carousel Slider \u0026 Grid Ultimate for WooCommerce \u003c= 1.9.7 - Authenticated(Contributor+) PHP Object Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1950",
"datePublished": "2024-03-13T15:27:23.100Z",
"dateReserved": "2024-02-27T19:14:51.782Z",
"dateUpdated": "2026-04-08T17:31:37.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}