WordPress Plugin Vulnerabilities

WooCommerce < 9.0.0 - Shop Manager+ Content Injection

Description

The WooCommerce plugin for WordPress is vulnerable to content injection in all versions up to, and including, 8.9.2. This is due to the plugin not properly restricting/validating content. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject arbitrary content.

Affects Plugins

Plugin icon
woocommerce
Fixed in 9.0.0

References

CVE
CVE-2024-35777
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ee8436c2-3dda-481c-92b3-cc2ba8fc1993

Classification

Type
CONTENT INJECTION
OWASP top 10
A1: Injection
CWE
CWE-345
CVSS
2.7 (low)

Miscellaneous

Original Researcher
Phill Sav (Savphill)
Verified
No
WPVDB ID
44887eb0-ee24-4368-ba5e-6ed189ba8e5d

Timeline

Publicly Published
2024-06-27 (about 1 year ago)
Added
2024-07-03 (about 1 year ago)
Last Updated
2024-07-03 (about 1 year ago)

Other

Published
Title
Published
2025-12-12
Title
TI WooCommerce Wishlist < 2.11.0 - Unauthenticated HTML Injection
Published
2024-04-22
Title
Pricing Table by Supsystic < 1.9.13 - Admin+ Content Injection
Published
2023-10-11
Title
Responsive Tabs < 4.0.6 - Authenticated (Contributor+) Content Injection
Published
2026-02-11
Title
WooODT Lite <= 2.5.2 - Unauthenticated Payment Bypass
Published
2024-04-25
Title
Car Dealer < 4.16 - Admin+ Content Injection