Stored Cross-Site Scripting Vulnerability in WooCommerce Plugin
CVE-2024-10168

5.4MEDIUM

Key Information:

Vendor: Pluginus
Status: Woot
Vendor: CVE Published:; 6 November 2024

Summary

The Active Products Tables for WooCommerce plugin, integral to WordPress installations, has a flaw that allows authenticated users with contributor-level permissions or higher to perform stored cross-site scripting (XSS) attacks. This vulnerability stems from insufficient sanitization and escaping processes for user-supplied attributes within the plugin's woot_button shortcode. Attackers can inject arbitrary web scripts into the pages, leading to potential data leakage or unauthorized actions when subsequent users access those compromised pages. This incident emphasizes the critical importance of robust input validation and output escaping in web applications to safeguard against XSS vulnerabilities.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/profit-products-tables-for-...

https://plugins.trac.wordpress.org/changeset/3182136/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 6, 2024