Reflected Cross-Site Scripting Vulnerability in Waitlist Woocommerce (Back in stock notifier) Plugin
CVE-2024-8724

6.1MEDIUM

Key Information:

Vendor: Xootix
Status: Waitlist WooCommerce ( Back In Stock Notifier )
Vendor: CVE Published:; 14 September 2024

Summary

The Waitlist Woocommerce plugin for WordPress exhibits a vulnerability that allows for reflected cross-site scripting (XSS) attacks. This issue arises from improper escaping of URLs using the add_query_arg function. As a result, unauthenticated attackers can inject malicious scripts into web pages that may run if a user is manipulated into interacting with a compromised link. This poses serious security risks as it can lead to session hijacking, unauthorized access, and data theft, emphasizing the need for users to ensure that their plugins are up to date and secure.

Affected Version(s)

Waitlist Woocommerce ( Back in stock notifier ) * <= 2.7.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/waitlist-wooco...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 14, 2024

Collectors

NVD DatabaseMitre Database

Credit

Dale Mavers