Description

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.

INFO

Published Date :

2024-06-12T15:05:46.468Z

Last Modified :

2024-08-02T03:50:56.092Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-37297 vulnerability.

Vendors Products
Woocommerce
  • Woocommerce
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-37297.

URL Resource
https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0 cve-icon cve-icon
https://github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4 cve-icon cve-icon
https://github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67 cve-icon cve-icon
https://github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrf cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact