WordPress Plugin Vulnerabilities

YITH WooCommerce Tab Manager < 1.35.1 - Authenticated (Editor+) Stored Cross-Site Scripting

Description

The YITH WooCommerce Tab Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 1.35.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
yith-woocommerce-tab-manager
Fixed in 1.35.1

References

CVE
CVE-2024-35698
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/10ccb769-b186-41c4-b0e8-84b9c4d5e7b0

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Phill Sav (Savphill)
Verified
No
WPVDB ID
8b579112-3909-4d31-91d4-df8bb9c938be

Timeline

Publicly Published
2024-06-06 (about 1 year ago)
Added
2024-06-13 (about 1 year ago)
Last Updated
2024-06-13 (about 1 year ago)

Other

Published
Title
Published
2026-01-15
Title
Infility Global <= 2.14.52 - Unauthenticated Stored Cross-Site Scripting
Published
2015-06-25
Title
WordPress Landing Pages <= 1.8.7 - Unspecified Cross-Site Scripting (XSS)
Published
2024-09-01
Title
Polls CP <= 1.0.75 - Admin+ Stored XSS via Custom Styles
Published
2024-06-05
Title
MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution < 4.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via hover_animation Parameter
Published
2024-04-30
Title
Sailthru Triggermail <= 1.1 - Admin+ Stored XSS