Products
WooCommerce
- 8.8
- 8.8.5
- 8.9.3
Source
security-advisories@github.com
Tags
CVE-2024-37297 details
Last Modified : June 12, 2024, 3:15 p.m.
Description
WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.
CVSS Score
| 1 | 2 | 3 | 4 | 5.4 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
Base Score
5.4
Exploitability Score
Impact Score
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
References
| URL | Source |
|---|---|
| https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0 | security-advisories@github.com |
| https://github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4 | security-advisories@github.com |
| https://github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67 | security-advisories@github.com |
| https://github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrf | security-advisories@github.com |