CVE-2024-9944Cross-site Scripting in Woocommerce

CWE-79Cross-site Scripting3 documents3 sources
Severity
6.1MEDIUMNVD
CNA5.3
EPSS
0.7%
top 27.58%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
WoocommerceAutomattic Woocommerce
Timeline
PublishedOct 15

Description

The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5automattic/woocommerce9.0.2

Patches

Patch: github.comPatch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-gp52-j3rq-472g: The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 92024-10-15
CVEList
WooCommerce <= 9.0.2 - Unauthenticated HTML Injection2024-10-15
CVE-2024-9944 — Cross-site Scripting in Woocommerce | cvebase