CVE-2024-37297

2024-06-1215:15:52

CWE-79

CWE-80

[email protected]

web.nvd.nist.gov

woocommerce

vulnerability

cross-site scripting

manipulated links

injected javascript

patch

workaround

order attribution

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

15.6%

JSON

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.

Affected configurations

Vulners

Node

woocommercewoocommerceRange8.8.0–8.8.5

woocommercewoocommerceRange8.9.0–8.9.3

CNA Affected

[
  {
    "vendor": "woocommerce",
    "product": "woocommerce",
    "versions": [
      {
        "version": ">= 8.8.0, < 8.8.5",
        "status": "affected"
      },
      {
        "version": ">= 8.9.0, < 8.9.3",
        "status": "affected"
      }
    ]
  }
]