Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.
All Wordfence users, including Wordfence Premium customers as well as those still using the free version of Wordfence, are protected against this vulnerability by our firewall’s built-in cross-site scripting protection.
We sent the full disclosure details on November 4, 2021, after the developer confirmed the appropriate channel to handle communications. The developer quickly acknowledged the report and released a patch on November 8, 2021.
We strongly recommend ensuring that your site has been updated to the latest patched version of “Preview E-Mails for WooCommerce”, which is version 2.0.1 at the time of this publication.
Description: Reflected Cross-Site Scripting
Affected Plugin: Preview E-mails for WooCommerce