Reflected Cross-Site Scripting Vulnerability in WooCommerce Additional Fees Plugin
CVE-2024-12395

6.1MEDIUM

Key Information:

Vendor
Wordpress
Status
WooCommerce Additional Fees On Checkout (free)
Vendor
CVE Published:
17 December 2024

Summary

CVE-2024-12395 is a reflected cross-site scripting vulnerability present in the WooCommerce Additional Fees On Checkout plugin for WordPress. The vulnerability arises from inadequate input sanitization and lack of output escaping with the 'number' parameter, which is present in all versions up to and including 1.4.7. This flaw allows unauthenticated attackers to craft malicious web scripts that can be executed in the context of a victim's browser if they are successfully enticed to click a specially crafted link. Website administrators using affected versions should prioritize updating their plugins to mitigate potential exploitation.

Affected Version(s)

WooCommerce Additional Fees On Checkout (Free) * <= 1.4.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/woo-additional...
https://plugins.trac.wordpress.org/browser/woo-additional...

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dale Mavers
.