Unauthorized Access via Reflected Cross-Site Scripting
CVE-2024-9377

6.1MEDIUM

Key Information:

Vendor: Omardabbas
Status: Products, Order & Customers Export For WooCommerce
Vendor: CVE Published:; 10 October 2024

Summary

The Products, Order & Customers Export for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to improper handling of user input with add_query_arg and remove_query_arg functions. This vulnerability exists in all versions up to and including 2.0.15, allowing unauthenticated attackers to inject malicious scripts into web pages. If users are manipulated into clicking deceptive links, these scripts can execute in their browsers, leading to potential site compromise and data exposure. Website administrators should apply patches or updates to enhance site security and prevent exploitation.

Affected Version(s)

Products, Order & Customers Export for WooCommerce * <= 2.0.15

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3164996/

https://plugins.trac.wordpress.org/browser/export-woocomm...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 10, 2024
Vulnerability Reserved
Sep 30, 2024

Credit

Colin Xu