Arbitrary Script Injection Vulnerability in Primer Plugin for WooCommerce
CVE-2024-11809

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Primer Mydata For WooCommerce
Vendor: CVE Published:; 13 December 2024

Summary

The Primer MyData for Woocommerce plugin for WordPress is exposed to a Reflected Cross-Site Scripting vulnerability through an inadequate verification of the 'img_src' parameter. Unsanitized input from this parameter allows potential attackers to inject arbitrary web scripts. If an unsuspecting user is misled into clicking a specially crafted link, the injected scripts may be executed within their browser session, leading to a range of harmful effects, including data theft and unauthorized actions. It is essential for users to apply protective measures immediately, including updating to patched versions of the plugin and enhancing input validation practices.

Affected Version(s)

Primer MyData for Woocommerce * <= 4.2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 13, 2024
Vulnerability Reserved
Nov 26, 2024

Credit

Dale Mavers