Reflected Cross-Site Scripting Vulnerability in WooCommerce Digital Content Delivery Plugin
CVE-2024-12438

6.1MEDIUM

Key Information:

Vendor
Wordpress
Status
WooCommerce Digital Content Delivery (incl. Drm) – Flickrocket
Vendor
CVE Published:
7 January 2025

Summary

The WooCommerce Digital Content Delivery (FlickRocket) plugin for WordPress suffers from a reflected cross-site scripting vulnerability. This issue arises from inadequate input sanitization and output escaping on the 'start_date' and 'end_date' parameters. An unauthenticated attacker can exploit this flaw to inject arbitrary web scripts into web pages viewed by users. If the victim is manipulated into engaging with a crafted link, the malicious script will execute in their browser context, potentially facilitating various attacks, including data theft and session hijacking.

Affected Version(s)

WooCommerce Digital Content Delivery (incl. DRM) – FlickRocket * <= 4.74

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/woocommerce-di...
https://plugins.trac.wordpress.org/browser/woocommerce-di...

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dale Mavers
.