Stored Cross-Site Scripting in Autoship Cloud for WooCommerce Subscription Products Plugin
CVE-2024-13461

6.4MEDIUM

Key Information:

Vendor
Patternsinthecloud
Status
Autoship Cloud For WooCommerce Subscription Products
Vendor
CVE Published:
21 February 2025

Summary

The Autoship Cloud for WooCommerce Subscription Products plugin for WordPress contains a vulnerability that allows authenticated users with contributor-level access and above to exploit Stored Cross-Site Scripting. The issue arises from inadequate input sanitization and output escaping in the plugin's 'autoship-create-scheduled-order-action' shortcode. This loophole enables attackers to inject arbitrary web scripts into pages, which are subsequently executed when other users access these compromised pages, exposing them to potential security risks. This vulnerability affects all versions of the plugin up to and including 2.8.0.

Affected Version(s)

Autoship Cloud for WooCommerce Subscription Products * <= 2.8.0

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

zakaria
.