CVE-2024-37297
WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.
WooCommerce es una plataforma de comercio electrónico de código abierto construida sobre WordPress. Una vulnerabilidad introducida en WooCommerce 8.8 permite cross-site scripting. Un mal actor puede manipular un enlace para incluir contenido HTML y JavaScript malicioso. Si bien el contenido no se guarda en la base de datos, los enlaces pueden enviarse a las víctimas con fines maliciosos. El JavaScript inyectado podría secuestrar el contenido y los datos almacenados en el navegador, incluida la sesión. El contenido de la URL se lee a través de la librería `Sourcebuster.js` y luego se inserta sin la sanitización adecuada en los formularios clásicos de pago y registro. Las versiones 8.8.5 y 8.9.3 contienen un parche para el problema. Como workaround, se puede desactivar la función de atribución de pedidos.
The WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via order attribution cookies in versions 8.8.0 to 8.8.4 and 8.9.0 to 8.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-06-05 CVE Reserved
- 2024-06-10 CVE Published
- 2024-07-24 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0 | Media Coverage |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Woocommerce Search vendor "Woocommerce" | Woocommerce Search vendor "Woocommerce" for product "Woocommerce" | >= 8.8 < 8.8.5 Search vendor "Woocommerce" for product "Woocommerce" and version " >= 8.8 < 8.8.5" | wordpress |
Affected
| ||||||
| Woocommerce Search vendor "Woocommerce" | Woocommerce Search vendor "Woocommerce" for product "Woocommerce" | >= 8.9.0 < 8.9.3 Search vendor "Woocommerce" for product "Woocommerce" and version " >= 8.9.0 < 8.9.3" | wordpress |
Affected
| ||||||