Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1jdjIzLXE2Z2gteGZyZs4AA8_F

WooCommerce has a Cross-Site Scripting (XSS) Vulnerability in checkout & registration forms

Impact

A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session.
The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms.

Patches

diff --git a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
index 79411e928e1..25eaa721c54 100644
--- a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
+++ b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
@@ -155,12 +155,16 @@
 		 * but it's not yet supported in Safari.
 		 */
 		connectedCallback() {
-			let inputs = '';
+			this.innerHTML = '';
+			const inputs = new DocumentFragment();
 			for( const fieldName of this._fieldNames ) {
-				const value = stringifyFalsyInputValue( this.values[ fieldName ] );
-				inputs += `<input type="hidden" name="${params.prefix}${fieldName}" value="${value}"/>`;
+				const input = document.createElement( 'input' );
+				input.type = 'hidden';
+				input.name = `${params.prefix}${fieldName}`;
+				input.value = stringifyFalsyInputValue( ( this.values && this.values[ fieldName ] ) || '' );
+				inputs.appendChild( input );
 			}
-			this.innerHTML = inputs;
+			this.appendChild( inputs );
 		}
 
 		/**

Workarounds

Disabling the Order Attribution feature

References

A8C SIRT: p3btAN-2L2-p2 (internal)
Public disclosure: https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0/

Permalink: https://github.com/advisories/GHSA-cv23-q6gh-xfrf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jdjIzLXE2Z2gteGZyZs4AA8_F
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 4 months ago

CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-cv23-q6gh-xfrf, CVE-2024-37297
References:

• https://github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrf
• https://nvd.nist.gov/vuln/detail/CVE-2024-37297
• https://github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4
• https://github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67
• https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0
• https://github.com/advisories/GHSA-cv23-q6gh-xfrf

Repository: https://github.com/woocommerce/woocommerce
Blast Radius: 11.8

Affected Packages