5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
6 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.6%
A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session.
The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms.
diff --git a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
index 79411e928e1..25eaa721c54 100644
--- a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
+++ b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
@@ -155,12 +155,16 @@
* but it's not yet supported in Safari.
*/
connectedCallback() {
- let inputs = '';
+ this.innerHTML = '';
+ const inputs = new DocumentFragment();
for( const fieldName of this._fieldNames ) {
- const value = stringifyFalsyInputValue( this.values[ fieldName ] );
- inputs += `<input type="hidden" name="${params.prefix}${fieldName}" value="${value}"/>`;
+ const input = document.createElement( 'input' );
+ input.type = 'hidden';
+ input.name = `${params.prefix}${fieldName}`;
+ input.value = stringifyFalsyInputValue( ( this.values && this.values[ fieldName ] ) || '' );
+ inputs.appendChild( input );
}
- this.innerHTML = inputs;
+ this.appendChild( inputs );
}
/**
Disabling the Order Attribution feature
A8C SIRT: p3btAN-2L2-p2 (internal)
Public disclosure: https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0/
developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0
github.com/woocommerce/woocommerce
github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4
github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67
github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrf
nvd.nist.gov/vuln/detail/CVE-2024-37297
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
6 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.6%