WordPress Plugin Vulnerabilities

YITH WooCommerce Product Add-Ons < 4.6.0 - Unuathenticated Cross-Site Scripting

Description

The YITH WooCommerce Product Add-Ons plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
yith-woocommerce-product-add-ons
Fixed in 4.6.0

References

CVE
CVE-2024-27994
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c3efb7b1-5230-40f9-a8a0-3712916284be

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
beluga
Verified
No
WPVDB ID
e779cdcf-4e62-4c03-ab89-ac4204fd8b9c

Timeline

Publicly Published
2024-03-15 (about 2 years ago)
Added
2024-03-20 (about 2 years ago)
Last Updated
2024-03-20 (about 2 years ago)

Other

Published
Title
Published
2024-04-04
Title
AGCA – Custom Dashboard & Login Page < 7.2.2 - Admin+ Stored XSS via Image URL
Published
2024-12-12
Title
Primer MyData for Woocommerce < 4.2.2 - Reflected Cross-Site Scripting
Published
2024-05-10
Title
Thim Elementor Kit < 1.1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Published
2023-05-22
Title
MailChimp Subscribe Forms < 4.0.9.2 - Admin+ Stored XSS
Published
2025-01-10
Title
XML for Avito < 2.5.3 - Reflected Cross-Site Scripting