Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-cv23-q6gh-xfrf: WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms

Impact

A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms.

Patches

diff --git a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
index 79411e928e1..25eaa721c54 100644
--- a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
+++ b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js
@@ -155,12 +155,16 @@
         * but it's not yet supported in Safari.
         */
        connectedCallback() {
-           let inputs = '';
+           this.innerHTML = '';
+           const inputs = new DocumentFragment();
            for( const fieldName of this._fieldNames ) {
-               const value = stringifyFalsyInputValue( this.values[ fieldName ] );
-               inputs += `<input type="hidden" name="${params.prefix}${fieldName}" value="${value}"/>`;
+               const input = document.createElement( 'input' );
+               input.type = 'hidden';
+               input.name = `${params.prefix}${fieldName}`;
+               input.value = stringifyFalsyInputValue( ( this.values && this.values[ fieldName ] ) || '' );
+               inputs.appendChild( input );
            }
-           this.innerHTML = inputs;
+           this.appendChild( inputs );
        }
 
        /**

Workarounds

Disabling the Order Attribution feature

References

A8C SIRT: p3btAN-2L2-p2 (internal) Public disclosure: https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0/

ghsa
Open in Source
#xss#vulnerability#js#git#java
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-37297

WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms

Moderate severity GitHub Reviewed Published Jun 12, 2024 in woocommerce/woocommerce • Updated Jun 12, 2024

Package

composer woocommerce/woocommerce (Composer)

Affected versions

>= 8.8.0, < 8.8.5

>= 8.9.0, < 8.9.3

Patched versions

8.8.5

8.9.3

Impact

A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session.
The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms.

Patches

diff --git a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js index 79411e928e1…25eaa721c54 100644 — a/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js +++ b/plugins/woocommerce/client/legacy/js/frontend/order-attribution.js @@ -155,12 +155,16 @@ * but it’s not yet supported in Safari. */ connectedCallback() { - let inputs = '’;

  •       this.innerHTML = '';

  •       const inputs = new DocumentFragment();
      for( const fieldName of this.\_fieldNames ) {

- const value = stringifyFalsyInputValue( this.values[ fieldName ] ); - inputs += `<input type="hidden" name="${params.prefix}${fieldName}" value="${value}"/>`;

  •           const input = document.createElement( 'input' );

  •           input.type = 'hidden';

  •           input.name = \`${params.prefix}${fieldName}\`;

  •           input.value = stringifyFalsyInputValue( ( this.values && this.values\[ fieldName \] ) || '' );

  •           inputs.appendChild( input );
      }

- this.innerHTML = inputs;

  •       this.appendChild( inputs );
  }

  /\*\*

Workarounds

Disabling the Order Attribution feature

References

A8C SIRT: p3btAN-2L2-p2 (internal)
Public disclosure: https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0/

References

  • GHSA-cv23-q6gh-xfrf
  • https://nvd.nist.gov/vuln/detail/CVE-2024-37297
  • woocommerce/woocommerce@0e98883
  • woocommerce/woocommerce@915e32a
  • https://developer.woocommerce.com/2024/06/10/developer-advisory-xss-vulnerability-8-8-0

Published to the GitHub Advisory Database

Jun 12, 2024

Last updated

Jun 12, 2024

ghsa: Latest News

GHSA-53q7-4874-24qg: Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL
ghsa