WordPress Plugin Vulnerabilities

YITH WooCommerce Ajax Search < 2.7.1 - Contributor+ Stored XSS

Description

YITH WooCommerce Ajax Search is vulnerable to a XSS vulnerability due to insufficient sanitization of user supplied block attributes. This makes it possible for Contributors+ attackers to inject arbitrary scripts.

Proof of Concept

Affects Plugins

Plugin icon
yith-woocommerce-ajax-search
Fixed in 2.7.1

References

CVE
CVE-2024-7846

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
John Castro
Submitter
John Castro
Verified
Yes
WPVDB ID
86f7a136-d09b-4637-97ae-2cdaaff172a3

Timeline

Publicly Published
2024-09-02 (about 1 year ago)
Added
2024-09-02 (about 1 year ago)
Last Updated
2024-09-02 (about 1 year ago)

Other

Published
Title
Published
2014-09-17
Title
Mobiloud < 2.3.8 - Multiple Cross-Site Scripting (XSS)
Published
2025-09-19
Title
Author: Munzir <= 0.9 - Reflected Cross-Site Scripting
Published
2025-01-16
Title
RomanCart On WordPress <= 0.0.2 - Reflected Cross-Site Scripting
Published
2024-10-15
Title
G Meta Keywords <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-24
Title
Multi-Column Taxonomy List <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting