WordPress.org

Ready to get started?Download WordPress

Forums

WooCommerce - excelling eCommerce
[resolved] Cross-Site Scripting Vulnerability - WARNING (5 posts)

  1. tricaricosalvo
    Member
    Posted 10 months ago #

    Hi,
    In a few days:
    2.0.15
    2.0.16
    2.0.17

    but reading this below shows that WooCommerce is vulnerable:

    "The plugin suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the 'hide-wc-extensions-message' parameter in the 'admin/woocommerce-admin-settings.php' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session."
    http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5156.php

    PATCH: https://github.com/woothemes/woocommerce/commit/4b581450480d74667b76d6ba50961d79a6d7a0c1

    when you release a new version 2.0.18?

    http://wordpress.org/plugins/woocommerce/

  2. DVDcartoonz
    Member
    Posted 10 months ago #

    I think this is what's happening to my site:

    http://dvdcartoonz.com/checkout

    Says that it's getting redirected to a site called "safetykidz.com"

    Any advice as to how I can get this problem fixed would be greatly appreciated!

  3. pacmen
    Member
    Posted 10 months ago #

    Thanks for this info, immediately changed it.

  4. Kloon
    Member
    Posted 10 months ago #

    Just a heads up, the issue is only inside the admin panel and unless the person has access to your admin area they cannot trigger the XSS to inject code. It has been patched in 2.0.18 which will go out soon.

  5. Coen Jacobs
    Member
    Plugin Author

    Posted 10 months ago #

    Version 2.0.18 has been released and I advise everyone to download at their earliest convenience. Important side note though, as Gerhard also mentioned, this was a very minor security issue and very hard to exploit.

    Still, all security issues will off course be patched, so thanks for all the reports.

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.