WooCommerce SMS Plugin Vulnerable to Reflected Cross-Site Scripting
CVE-2024-9213

6.1MEDIUM

Key Information:

Vendor
Wordpress
Status
افزونه پیامک ووکامرس Persian WooCommerce Sms
Vendor
CVE Published:
17 October 2024

Summary

The Persian WooCommerce SMS plugin for WordPress has a vulnerability that arises from the improper use of remove_query_arg without appropriate escaping on the URL in its coding. This flaw is present in all versions up to and including 7.0.2. As a result, unauthenticated attackers can exploit this vulnerability to inject arbitrary web scripts into the affected websites. If a user is deceived into clicking a malicious link crafted by the attacker, the injected scripts may execute in their browser session, potentially compromising data security and user privacy.

Affected Version(s)

افزونه پیامک ووکامرس Persian WooCommerce SMS * <= 7.0.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/persian-woocom...
https://plugins.trac.wordpress.org/browser/persian-woocom...

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dale Mavers
.