cbcvebase.
CVE-2024-4455
published 2024-05-24

CVE-2024-4455: The YITH WooCommerce Ajax Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘item’ parameter in versions up to, and including…

PriorityP180medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.01%
58.7th percentile
The YITH WooCommerce Ajax Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘item’ parameter in versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affected

2 ranges
VendorProductVersion rangeFixed in
yithemesyith_woocommerce_ajax_search< 2.4.12.4.1
yithemesyith_woocommerce_ajax_search<= 2.4.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin.php?page=yith_wcas_panel&tab=statistic&from&to&view_all=no_results
path/wp-admin/admin.php?page=yith_wcas_panel&tab=statistic
  • Stored XSS payload injected via the 'item' parameter is reflected in the YITH WooCommerce Ajax Search statistics panel; detect by checking for alert(document.domain) in the response body of the admin statistics page.
  • The exploit flow involves a POST to /wp-login.php followed by a GET to the YITH statistics panel with view_all=no_results; monitor for unauthenticated or low-privilege access patterns to this admin endpoint.
  • Presence of a 'loggerID' JSON key in HTTP response body indicates the YITH WooCommerce Ajax Search search-logging feature is active and potentially exploitable.
  • The vulnerability is exploitable by unauthenticated attackers; any request containing XSS payloads in the 'item' parameter to the YITH Ajax Search endpoint should be flagged.
  • ·The PoC nuclei template requires valid WordPress credentials to reach the admin statistics panel for verification, but the initial injection itself is unauthenticated.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.