Stored Cross-Site Scripting in Autoship Cloud for WooCommerce Subscription Products Plugin
CVE-2024-13461
6.4MEDIUM
Key Information:
- Vendor
- Patternsinthecloud
- Status
- Autoship Cloud For WooCommerce Subscription Products
- Vendor
- CVE Published:
- 21 February 2025
Summary
The Autoship Cloud for WooCommerce Subscription Products plugin for WordPress contains a vulnerability that allows authenticated users with contributor-level access and above to exploit Stored Cross-Site Scripting. The issue arises from inadequate input sanitization and output escaping in the plugin's 'autoship-create-scheduled-order-action' shortcode. This loophole enables attackers to inject arbitrary web scripts into pages, which are subsequently executed when other users access these compromised pages, exposing them to potential security risks. This vulnerability affects all versions of the plugin up to and including 2.8.0.
Affected Version(s)
Autoship Cloud for WooCommerce Subscription Products * <= 2.8.0
References
CVSS V3.1
Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
zakaria