CVE-2021-24323Cross-site Scripting in Woocommerce

CWE-79Cross-site Scripting4 documents4 sources
Severity
4.8MEDIUMNVD
EPSS
0.4%
top 40.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Automattic WoocommerceWoocommerce
Timeline
PublishedMay 17
Latest updateMay 24

Description

When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages3 packages

CVEListV5automattic/woocommerce5.2.05.2.0
Packagistwoocommerce/woocommerce< 5.2.0

🔴Vulnerability Details

3
GHSA
Woocommerce Cross-site Scripting via Additional tax classes field when taxes are enabled2022-05-24
OSV
Woocommerce Cross-site Scripting via Additional tax classes field when taxes are enabled2022-05-24
CVEList
Woocommerce < 5.2.0 - Authenticated Stored Cross-Site Scripting (XSS)2021-05-17
CVE-2021-24323 — Cross-site Scripting in Woocommerce | cvebase