WordPress Plugin Vulnerabilities

WooCommerce < 4.2.1 - Potential Cross-Site Scripting (XSS) via SelectWoo

Description

A DOM based Cross-Site Scripting (XSS) vulnerability was found to affect the SelectWoo dependency that WooCommerce used. SelectWoo replaces the standard <select> box in web browsers.

Affects Plugins

Plugin icon
woocommerce
Fixed in 4.2.1

References

URL
https://github.com/woocommerce/woocommerce/commit/40f7c2d474e242440b2fb9a886353f5a8772a210
URL
https://github.com/woocommerce/woocommerce/commit/14a26aca2cde9c81ade02bdc6dd0a34e184a4202
URL
https://github.com/woocommerce/selectWoo/releases/tag/1.0.7

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.1 (medium)

Miscellaneous

Verified
No
WPVDB ID
8dac6eec-6573-4de0-b37f-ff09834c50bd

Timeline

Publicly Published
2020-06-23 (about 5 years ago)
Added
2020-06-23 (about 5 years ago)
Last Updated
2020-09-21 (about 5 years ago)

Other

Published
Title
Published
2025-09-16
Title
Appointmind < 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2014-08-01
Title
background-music 1.0 - jPlayer.swf XSS
Published
2024-01-02
Title
3D Flipbook < 1.15.3 - Contributor+ Stored XSS
Published
2023-11-28
Title
File Gallery <= 1.8.5.4 - Reflected Cross-Site Scripting via post_id
Published
2024-10-25
Title
WP Crowdfunding < 2.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpcf_donate Shortcode