Stored Cross-Site Scripting Vulnerability in WooCommerce PDF Invoices & Packing Slips Plugin
CVE-2024-3045

7.2HIGH

Key Information:

Vendor: Wordpress
Status: PDF Invoices & Packing Slips For WooCommerce
Vendor: CVE Published:; 2 May 2024

Summary

The WooCommerce PDF Invoices & Packing Slips plugin for WordPress has a vulnerability that allows for Stored Cross-Site Scripting (XSS) through various parameters. This issue arises from insufficient input sanitization and output escaping in versions up to and including 3.8.0. An unauthenticated attacker can exploit this vulnerability to inject arbitrary web scripts into pages, which will be executed every time a user accesses the affected page. It is crucial for website owners using this plugin to assess their installations and apply necessary updates to safeguard against such vulnerabilities.

Affected Version(s)

PDF Invoices & Packing Slips for WooCommerce * <= 3.8.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/woocommerce-pd...

https://plugins.trac.wordpress.org/changeset/3076105/

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
May 2, 2024
Vulnerability Reserved
Mar 28, 2024

Credit

Tim Coen