WooCommerce Extension – Reflected XSS Vulnerability

WordFence - 

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.

On November 1, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Preview E-mails for WooCommerce”, a WordPress plugin that is an extension for WooCommerce, installed on over 20,000 sites. This flaw made it possible for an attacker to inject malicious JavaScript into a page that would execute if the attacker successfully tricked a site’s administrator into performing an action like clicking on a link.

All Wordfence users, including Wordfence Premium customers as well as those still using the free version of Wordfence, are protected against this vulnerability by our firewall’s built-in cross-site scripting protection.

We sent the full disclosure details on November 4, 2021, after the developer confirmed the appropriate channel to handle communications. The developer quickly acknowledged the report and released a patch on November 8, 2021.

We strongly recommend ensuring that your site has been updated to the latest patched version of “Preview E-Mails for WooCommerce”, which is version 2.0.1 at the time of this publication.

Description: Reflected Cross-Site Scripting
Affected Plugin: Preview E-mails for WooCommerce

Read More: https://www.wordfence.com/blog/2021/11/woocommerce-extension-reflected-xss-vulnerability/