Bear
Monthly
Reflected/stored cross-site scripting in the WordPress plugin BEAR (realmag777's WooCommerce Bulk Editor and Products Manager, woo-bulk-editor) version 1.1.8 and earlier allows an unauthenticated remote attacker to inject malicious script that executes in a victim's browser when the victim is lured to interact with a crafted request. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) indicates network-reachable, no-authentication exploitation that requires user interaction and crosses a security scope boundary. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported by Patchstack.
Blind SQL injection in BEAR woo-bulk-editor plugin for WordPress up to version 1.1.7.1 allows high-privilege authenticated administrators to extract database contents through specially crafted SQL queries. The scope change in CVSS (S:C) indicates potential impact beyond the plugin itself, enabling access to other WordPress data or resources. No public exploit code or active exploitation indicators identified at time of analysis, but Patchstack public disclosure increases weaponization risk.
Cross-site request forgery (CSRF) in PluginUs.Net BEAR plugin versions up to 1.1.5 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through crafted web requests. The vulnerability requires user interaction (clicking a malicious link) but can modify application state without the user's knowledge or consent. No active exploitation has been publicly confirmed at the time of analysis.
Reflected/stored cross-site scripting in the WordPress plugin BEAR (realmag777's WooCommerce Bulk Editor and Products Manager, woo-bulk-editor) version 1.1.8 and earlier allows an unauthenticated remote attacker to inject malicious script that executes in a victim's browser when the victim is lured to interact with a crafted request. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) indicates network-reachable, no-authentication exploitation that requires user interaction and crosses a security scope boundary. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported by Patchstack.
Blind SQL injection in BEAR woo-bulk-editor plugin for WordPress up to version 1.1.7.1 allows high-privilege authenticated administrators to extract database contents through specially crafted SQL queries. The scope change in CVSS (S:C) indicates potential impact beyond the plugin itself, enabling access to other WordPress data or resources. No public exploit code or active exploitation indicators identified at time of analysis, but Patchstack public disclosure increases weaponization risk.
Cross-site request forgery (CSRF) in PluginUs.Net BEAR plugin versions up to 1.1.5 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through crafted web requests. The vulnerability requires user interaction (clicking a malicious link) but can modify application state without the user's knowledge or consent. No active exploitation has been publicly confirmed at the time of analysis.