CVE-2024-10837

Vulnerability

Description

The SysBasics Customize My Account for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting (XSS) in versions up to and including 2.7.29. The vulnerability exists due to insufficient input sanitization and output escaping of the tab parameter [1]. This allows an attacker to inject arbitrary web scripts into pages that will execute in the context of a victim's browser.

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a malicious link containing the tab parameter with a JavaScript payload. The attacker must then trick a user—such as an administrator or shop manager—into clicking the link. No authentication or special network position is required for the initial injection, making the attack vector straightforward for social engineering campaigns.

Impact

Successful exploitation leads to arbitrary JavaScript execution in the victim's browser. An attacker can perform actions such as stealing session cookies, modifying page content, or redirecting the user to malicious sites. Since the script executes in the context of the vulnerable WordPress site, it can potentially access sensitive information and perform actions on behalf of the victim.

Mitigation

The vendor has not yet released a patched version as of the publication date. The plugin is available for download from the WordPress plugin repository [1]. Administrators should monitor for updates and consider temporarily disabling the plugin or applying a web application firewall rule to filter malicious tab parameter inputs until a fix is applied.