WordPress Plugin Vulnerabilities

Doofinder for WooCommerce < 2.1.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

Description

The Doofinder WP & WooCommerce Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

Plugin icon
doofinder-for-woocommerce
Fixed in 2.1.9

References

CVE
CVE-2024-25596
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/13159a71-c183-4fc2-98af-8b9e60508a1c

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.4 (medium)

Miscellaneous

Original Researcher
Dhabaleshwar Das
Verified
No
WPVDB ID
eed840f6-dd01-49db-ab56-e03ffd02de4a

Timeline

Publicly Published
2024-02-12 (about 2 years ago)
Added
2024-02-14 (about 2 years ago)
Last Updated
2024-02-14 (about 2 years ago)

Other

Published
Title
Published
2025-02-26
Title
BuddyBoss Platform < 2.8.00 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'link_title'
Published
2024-06-28
Title
PowerPack Lite for Beaver Builder < 1.3.0.5 - Authenticated (Editor+) Stored Cross-Site Scripting
Published
2022-04-20
Title
Social Stickers <= 2.2.9 - Stored Cross-Site Scripting via CSRF
Published
2024-05-06
Title
Comments Evolved for WordPress <= 1.6.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-03-24
Title
Frndzk Expandable Bottom Bar <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via text Parameter