VYPR
Moderate severityNVD Advisory· Published Jun 12, 2024· Updated Aug 2, 2024

WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms

CVE-2024-37297

Description

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
woocommerce/woocommercePackagist
>= 8.8.0, < 8.8.58.8.5
woocommerce/woocommercePackagist
>= 8.9.0, < 8.9.38.9.3

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.