WordPress Plugin Vulnerabilities

Product Code for WooCommerce < 1.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Product Code for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
product-code-for-woocommerce
Fixed in 1.4.5

References

CVE
CVE-2023-51669
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0be84866-2a49-42da-b498-962fc1bcb811

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
LVT-tholv2k
Verified
No
WPVDB ID
44fc0833-5911-45d0-aad1-390968a67b96

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2011-09-27
Title
Web Minimalist 200901 < 1.2 - XSS
Published
2015-08-15
Title
Duplicator < 0.5.28 - Authenticated Cross-Site Scripting (XSS)
Published
2025-06-13
Title
Slider, Gallery, and Carousel by MetaSlider < 3.99.0 - Contributor+ Stored XSS via aria-label Parameter
Published
2024-05-29
Title
Remote Content Shortcode <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2026-03-25
Title
Complianz – GDPR/CCPA Cookie Consent < 7.4.5 - Contributor+ Stored XSS via Content Filter