Stored Cross-Site Scripting Vulnerability in Flexible Wishlist Plugin for WooCommerce by WordPress
CVE-2024-13696

7.2HIGH

Key Information:

Vendor
WordPress
Status
Flexible Wishlist For WooCommerce – Ecommerce Wishlist & Save For Later
Vendor
CVE Published:
29 January 2025

Summary

The Flexible Wishlist for WooCommerce plugin for WordPress contains a vulnerability that allows Stored Cross-Site Scripting via the 'wishlist_name' parameter. This issue arises from inadequate input sanitization and output escaping across all versions up to and including 1.2.25. As a result, unauthenticated attackers can inject malicious web scripts into pages, which will execute whenever a user accesses the affected page. This vulnerability can lead to various security issues, including unauthorized actions on behalf of users or data breaches.

Affected Version(s)

Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later * <= 1.2.25

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://wordpress.org/plugins/flexible-wishlist/#developers
https://plugins.trac.wordpress.org/browser/flexible-wishl...

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tim Coen
.