CVE-2024-37297
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| woocommerce | woocommerce | >= 8.8.0, < 8.8.5 | affected |
| woocommerce | woocommerce | >= 8.9.0, < 8.9.3 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-80: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrf
- https://github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4
- https://github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67
- https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0
References
- https://github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrf
- https://github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4
- https://github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67
- https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.