WordPress Plugin Vulnerabilities

Store Exporter for WooCommerce < 2.7.3 - Reflected Cross-Site Scripting

Description

The plugin is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
woocommerce-exporter
Fixed in 2.7.3

References

CVE
CVE-2024-8793
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7d3c44eb-ef25-43f5-a872-6ef52c3d9c1f

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
vgo0
Verified
Yes
WPVDB ID
70b9c0f7-f16c-499c-b426-ccc65fee3ca4

Timeline

Publicly Published
2024-09-30 (about 1 year ago)
Added
2024-09-30 (about 1 year ago)
Last Updated
2024-10-25 (about 1 year ago)

Other

Published
Title
Published
2023-05-22
Title
WP-Piwik < 1.0.28 - Admin+ Stored XSS
Published
2025-07-28
Title
StreamWeasels Twitch Integration < 1.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2019-06-11
Title
Support Board < 1.2.9 - Authenticated Stored Cross-Site Scripting
Published
2024-12-09
Title
turboSMTP < 4.7 - Reflected Cross-Site Scripting via 'page'
Published
2023-01-27
Title
bbPress Voting < 2.1.11.1 - Admin+ Stored XSS