WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms
Description
WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
woocommerce/woocommercePackagist | >= 8.8.0, < 8.8.5 | 8.8.5 |
woocommerce/woocommercePackagist | >= 8.9.0, < 8.9.3 | 8.9.3 |
Affected products
1- Range: >= 8.8.0, < 8.8.5
Patches
2915e32a42762Sync # 322 with release 8.8 (#48353)
2 files changed · +10 −5
plugins/woocommerce/client/legacy/js/frontend/order-attribution.js+8 −4 modified@@ -153,12 +153,16 @@ * but it's not yet supported in Safari. */ connectedCallback() { - let inputs = ''; + this.innerHTML = ''; + const inputs = new DocumentFragment(); for( const fieldName of this._fieldNames ) { - const value = stringifyFalsyInputValue( this.values[ fieldName ] ); - inputs += `<input type="hidden" name="${params.prefix}${fieldName}" value="${value}"/>`; + const input = document.createElement( 'input' ); + input.type = 'hidden'; + input.name = `${params.prefix}${fieldName}`; + input.value = stringifyFalsyInputValue( ( this.values && this.values[ fieldName ] ) || '' ); + inputs.appendChild( input ); } - this.innerHTML = inputs; + this.appendChild( inputs ); } /**
plugins/woocommerce/readme.txt+2 −1 modified@@ -165,9 +165,10 @@ WooCommerce comes with some sample data you can use to see how products look; im == Changelog == -= 8.8.5 2024-06-11 = += 8.8.5 2024-06-10 = **WooCommerce** +* Security - Prevent HTML & JS injection attacks on registration and checkout forms when the Order Attribution is enabled. [#48348](https://github.com/woocommerce/woocommerce/pull/48348) [See changelog for all versions](https://raw.githubusercontent.com/woocommerce/woocommerce/trunk/changelog.txt).
0e9888305d0cSync # 321 with release 8.9 (#48352)
2 files changed · +10 −6
plugins/woocommerce/client/legacy/js/frontend/order-attribution.js+8 −4 modified@@ -155,12 +155,16 @@ * but it's not yet supported in Safari. */ connectedCallback() { - let inputs = ''; + this.innerHTML = ''; + const inputs = new DocumentFragment(); for( const fieldName of this._fieldNames ) { - const value = stringifyFalsyInputValue( this.values[ fieldName ] ); - inputs += `<input type="hidden" name="${params.prefix}${fieldName}" value="${value}"/>`; + const input = document.createElement( 'input' ); + input.type = 'hidden'; + input.name = `${params.prefix}${fieldName}`; + input.value = stringifyFalsyInputValue( ( this.values && this.values[ fieldName ] ) || '' ); + inputs.appendChild( input ); } - this.innerHTML = inputs; + this.appendChild( inputs ); } /**
plugins/woocommerce/readme.txt+2 −2 modified@@ -165,10 +165,10 @@ WooCommerce comes with some sample data you can use to see how products look; im == Changelog == -= 8.9.3 2024-06-11 = += 8.9.3 2024-06-10 = **WooCommerce** +* Security - Prevent HTML & JS injection attacks on registration and checkout forms when the Order Attribution is enabled. [#48348](https://github.com/woocommerce/woocommerce/pull/48348) [See changelog for all versions](https://raw.githubusercontent.com/woocommerce/woocommerce/trunk/changelog.txt). -/trunk/changelog.txt).
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-cv23-q6gh-xfrfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-37297ghsaADVISORY
- developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0ghsax_refsource_MISCWEB
- github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4ghsax_refsource_MISCWEB
- github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67ghsax_refsource_MISCWEB
- github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.