Ali2woo Lite

Source repositories

https://plugins.svn.wordpress.org/ali2woo-lite/

CVEs (5)

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2024-2381	Hig	0.58	8.8	0.10	Jun 19, 2024	The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_save_image function in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2024-37213	Hig	0.46	7.1	0.00	Jul 12, 2024	Cross-Site Request Forgery (CSRF) vulnerability in guru-aliexpress AliNext ali2woo-lite allows Cross Site Request Forgery.This issue affects AliNext: from n/a through <= 3.4.6.
CVE-2024-37214	Med	0.42	6.5	0.00	Nov 1, 2024	Missing Authorization vulnerability in Dropshipping Guru Ali2Woo Lite Exploiting Incorrectly Configured Access Control Security Levels, Stored XSS.This issue affects Ali2Woo Lite: from n/a through 3.3.5.
CVE-2024-4450	Med	0.41	6.3	0.00	Jun 19, 2024	The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several actions like importing and modifying products. CVE-2024-37210 is likely a duplicate of this issue.
CVE-2025-30859	Med	0.31	4.7	0.01	Mar 27, 2025	URL Redirection to Untrusted Site ('Open Redirect') vulnerability in guru-aliexpress AliNext ali2woo-lite allows Phishing.This issue affects AliNext: from n/a through <= 3.5.1.

CVE-2024-2381HigJun 19, 2024
risk 0.58cvss 8.8epss 0.10
The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_save_image function in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2024-37213HigJul 12, 2024
risk 0.46cvss 7.1epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in guru-aliexpress AliNext ali2woo-lite allows Cross Site Request Forgery.This issue affects AliNext: from n/a through <= 3.4.6.
CVE-2024-37214MedNov 1, 2024
risk 0.42cvss 6.5epss 0.00
Missing Authorization vulnerability in Dropshipping Guru Ali2Woo Lite Exploiting Incorrectly Configured Access Control Security Levels, Stored XSS.This issue affects Ali2Woo Lite: from n/a through 3.3.5.
CVE-2024-4450MedJun 19, 2024
risk 0.41cvss 6.3epss 0.00
The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several actions like importing and modifying products. CVE-2024-37210 is likely a duplicate of this issue.
CVE-2025-30859MedMar 27, 2025
risk 0.31cvss 4.7epss 0.01
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in guru-aliexpress AliNext ali2woo-lite allows Phishing.This issue affects AliNext: from n/a through <= 3.5.1.