Lucene search

GitHub_MVULNRICHMENT:CVE-2024-37297

HistoryJun 12, 2024 - 3:05 p.m.

CVE-2024-37297 WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms

2024-06-1215:05:46

CWE-79

CWE-80

GitHub_M

github.com

cve-2024-37297

woocommerce

cross-site scripting

vulnerability

wordpress

open-source

e-commerce

platform

javascript

html

security patch

sourcebuster.js

order attribution

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

38.4%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.

CNA Affected

[
  {
    "vendor": "woocommerce",
    "product": "woocommerce",
    "versions": [
      {
        "status": "affected",
        "version": ">= 8.8.0, < 8.8.5"
      },
      {
        "status": "affected",
        "version": ">= 8.9.0, < 8.9.3"
      }
    ]
  }
]