Reflected Cross-Site Scripting Vulnerability in WooCommerce Coupons Plugin
CVE-2024-8541

6.1MEDIUM

Key Information:

Vendor: Wordpress
Status: Discount Rules For WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, Bogo Coupons
Vendor: CVE Published:; 16 October 2024

Summary

The Discount Rules for WooCommerce plugin for WordPress is susceptible to Reflected Cross-Site Scripting (XSS) due to improper handling of input through the add_query_arg function. This vulnerability affects all versions up to and including 2.6.5, allowing attackers to craft malicious URLs that, when clicked by a site administrator, can lead to the execution of arbitrary web scripts. The vulnerability is specifically exploitable in scenarios where the 'Leave a Review' notice is displayed, a condition that typically occurs after the site has processed 100 orders. The security risk intensifies since this notice must be interacted with to trigger the attack, highlighting the importance of vigilance in site management.

Affected Version(s)

Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons * <= 2.6.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3149013/

https://plugins.trac.wordpress.org/browser/woo-discount-r...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
Sep 6, 2024

Credit

Dale Mavers