WordPress Plugin Vulnerabilities

WooCommerce <= 3.5.4 - Stored Cross-Site Scripting (XSS)

Description

* Security - Improved escaping for Photoswipe captions.
* Security - Improved escaping for JSON attributes and structured data.

Affects Plugins

Plugin icon
woocommerce
Fixed in 3.5.5

References

CVE
CVE-2019-9168
URL
https://fortiguard.com/zeroday/FG-VD-19-022
URL
https://github.com/woocommerce/woocommerce/commit/ffa230de9091cde33f1d60ffc971533e8682ba8f
URL
https://github.com/woocommerce/woocommerce/commit/7def966e4fe626cca274b5a714e07ac36f2655a6

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Zhouyuan Yang of Fortinet's FortiGuard Labs
Submitter
Ryan Dewhurst
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
661a5cd0-f152-4a33-8de8-55fa9f73c8d4

Timeline

Publicly Published
2019-02-20 (about 5 years ago)
Added
2019-02-26 (about 5 years ago)
Last Updated
2020-09-22 (about 3 years ago)

Other

Published
Title
Published
2020-06-22
Title
YITH WooCommerce Ajax Product Filter < 3.11.1 - Authenticated Reflected Cross-Site Scripting (XSS)
Published
2024-03-15
Title
Database for Contact Form 7 < 3.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2014-10-21
Title
NEX-Forms Lite <= 2.1.0 - Stored Cross-Site Scripting (XSS)
Published
2023-01-12
Title
WP Blog and Widget < 2.3.1 - Contributor+ Stored XSS via Shortcode
Published
2016-04-21
Title
Persian Woocommerce SMS <= 3.3.3 - Reflected Cross-Site Scripting (XSS)