WordPress Plugin Vulnerabilities

Email Template Customizer for WooCommerce < 1.2.9.2 - Shop manager+ Stored XSS

Description

The plugin is vulnerable to Stored Cross-Site Scripting via admin settings due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
email-template-customizer-for-woo
Fixed in 1.2.9.2

References

CVE
CVE-2024-49288
URL
https://patchstack.com/database/vulnerability/email-template-customizer-for-woo/wordpress-email-template-customizer-for-woocommerce-plugin-1-2-5-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.1 (low)

Miscellaneous

Original Researcher
Phill Sav (Savphill)
Verified
No
WPVDB ID
270c2225-6f83-436c-b145-6585ec725e24

Timeline

Publicly Published
2024-10-15 (about 1 year ago)
Added
2024-10-18 (about 1 year ago)
Last Updated
2024-11-29 (about 1 year ago)

Other

Published
Title
Published
2015-08-11
Title
Display Widgets <= 2.03 - Authenticated Cross-Site Scripting (XSS)
Published
2024-08-01
Title
WooCommerce PDF Vouchers < 4.9.5 - Reflected Cross-Site Scripting
Published
2021-09-09
Title
Feedify Web Push Notifications < 2.1.9 - Reflected Cross-Site Scripting
Published
2025-06-28
Title
EZ SQL Reports Shortcode Widget and DB Backup < 5.25.25 - Authenticated (Contributor+) Stored Cross-Site Scripting via SQLREPORT Shortcode
Published
2021-09-15
Title
Dflip Lite < 1.7.10 - Contributor+ Stored Cross-Site Scripting