WordPress Plugin Vulnerabilities

YITH WooCommerce Wishlist < 3.33.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Description

The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to 3.33.0 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
yith-woocommerce-wishlist
Fixed in 3.33.0

References

CVE
CVE-2024-34385
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/603813a4-73e1-47fd-8a6c-9416d21b6c88

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Phill Sav (Savphill)
Verified
No
WPVDB ID
d528768f-5c72-4ee6-8412-0606f1293d14

Timeline

Publicly Published
2024-05-30 (about 1 year ago)
Added
2024-06-11 (about 1 year ago)
Last Updated
2024-06-11 (about 1 year ago)

Other

Published
Title
Published
2025-09-10
Title
WP Scriptcase <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter
Published
2024-04-29
Title
CodeBard's Patron Button and Widgets for Patreon <= 2.2.0 - Reflected Cross-Site Scripting
Published
2025-11-26
Title
Simple Folio < 1.1.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2025-04-09
Title
HTML5 Video Player with Playlist <= 2.50 - Reflected Cross-Site Scripting
Published
2025-06-19
Title
Inventory Presser < 15.2.7 - Admin+ Stored XSS