CVE-2024-37297: WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms
A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms.
References
- developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0
- github.com/advisories/GHSA-cv23-q6gh-xfrf
- github.com/woocommerce/woocommerce
- github.com/woocommerce/woocommerce/commit/0e9888305d0cb9557e58f558526ab11cb3bcc4b4
- github.com/woocommerce/woocommerce/commit/915e32a42762916b745a7e663c8b69a698da8b67
- github.com/woocommerce/woocommerce/security/advisories/GHSA-cv23-q6gh-xfrf
- nvd.nist.gov/vuln/detail/CVE-2024-37297
Code Behaviors & Features
Detect and mitigate CVE-2024-37297 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →