GSA_kwCzR0hTQS1jdjIzLXE2Z2gteGZyZs4AA8_F

Moderate EPSS: 0.009% (0.74668 Percentile) EPSS:

Permalink JSON

WooCommerce has a Cross-Site Scripting (XSS) Vulnerability in checkout & registration forms

Affected Packages	Affected Versions	Fixed Versions
packagist:woocommerce/woocommerce	>= 8.9.0, < 8.9.3, >= 8.8.0, < 8.8.5	8.9.3, 8.8.5
14 Dependent packages 150 Dependent repositories 169,470 Downloads total Affected Version Ranges All affected versions All unaffected versions 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.6.12, 2.6.13, 2.6.14, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.1.0, 3.1.1, 3.1.2, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.5.9, 3.5.10, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.8.0, 4.8.1, 4.8.2, 4.8.3, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.4, 4.9.5, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.6.0, 5.6.1, 5.6.2, 5.7.0, 5.7.1, 5.7.2, 5.8.0, 5.8.1, 5.9.0, 5.9.1

Impact

A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session.
The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms.

Patches

diff --git a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
index 79411e928e1..25eaa721c54 100644
--- a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
+++ b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
@@ -155,12 +155,16 @@
 		 * but it's not yet supported in Safari.
 		 */
 		connectedCallback() {
-			let inputs = '';
+			this.innerHTML = '';
+			const inputs = new DocumentFragment();
 			for( const fieldName of this._fieldNames ) {
-				const value = stringifyFalsyInputValue( this.values[ fieldName ] );
-				inputs += `<input type="hidden" name="${params.prefix}${fieldName}" value="${value}"/>`;
+				const input = document.createElement( 'input' );
+				input.type = 'hidden';
+				input.name = `${params.prefix}${fieldName}`;
+				input.value = stringifyFalsyInputValue( ( this.values && this.values[ fieldName ] ) || '' );
+				inputs.appendChild( input );
 			}
-			this.innerHTML = inputs;
+			this.appendChild( inputs );
 		}
 
 		/**

Workarounds

Disabling the Order Attribution feature

References

A8C SIRT: p3btAN-2L2-p2 (internal)
Public disclosure: https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0/

References:

Identifiers

GHSA-cv23-q6gh-xfrf

CVE-2024-37297

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.009

EPSS Percentile: 0.74668

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/woocommerce/woocommerce

Date and time

Published

about 1 year ago

Updated

about 1 year ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories