CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2024-37297

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.004

EPSS Ranking 60.8%

CVSS Severity

CVSS v3 Score 5.4

References

Products affected by CVE-2024-37297

Woocommerce » Woocommerce » Version: 8.8.0

cpe:2.3:a:woocommerce:woocommerce:8.8.0
Woocommerce » Woocommerce » Version: 8.8.1

cpe:2.3:a:woocommerce:woocommerce:8.8.1
Woocommerce » Woocommerce » Version: 8.8.2

cpe:2.3:a:woocommerce:woocommerce:8.8.2
Woocommerce » Woocommerce » Version: 8.8.3

cpe:2.3:a:woocommerce:woocommerce:8.8.3
Woocommerce » Woocommerce » Version: 8.8.4

cpe:2.3:a:woocommerce:woocommerce:8.8.4
Woocommerce » Woocommerce » Version: 8.9.0

cpe:2.3:a:woocommerce:woocommerce:8.9.0
Woocommerce » Woocommerce » Version: 8.9.1

cpe:2.3:a:woocommerce:woocommerce:8.9.1
Woocommerce » Woocommerce » Version: 8.9.2

cpe:2.3:a:woocommerce:woocommerce:8.9.2

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2024-37297

Products

Pricing

Contact Us