Advisories for Composer/Woocommerce/Woocommerce package

2024

WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms

A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the Sourcebuster.js library and then inserted …

2022
2021

SQL Injection

Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of /wp-json/wc/v3/webhooks, /wp-json/wc/v2/webhooks and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting search parameter information can be …

Cross-site Scripting

When taxes are enabled, the Additional tax classes field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html setting is disabled

2020