CVE-2024-8872

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE-80)

Published: Sep 26, 2024 / Updated: 54d ago

010
CVSS 6.1EPSS 0.05%Medium
CVE info copied to clipboard

Summary

The Store Hours for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 4.3.20. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Impact

This vulnerability allows unauthenticated attackers to inject malicious scripts into web pages. If successful, these scripts will execute in the context of other users' browsers when they interact with the infected page. This can lead to theft of sensitive information (such as session cookies or other authentication credentials), manipulation of page content, or redirection of users to malicious sites. The attack requires user interaction, which somewhat limits its scope, but it can still have significant consequences if exploited successfully.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in version 4.3.22 of the Store Hours for WooCommerce plugin.

Mitigation

1. Update the Store Hours for WooCommerce plugin to version 4.3.22 or later. 2. If immediate updating is not possible, consider temporarily disabling the plugin until it can be updated. 3. Implement Content Security Policy (CSP) headers to help mitigate the risk of XSS attacks. 4. Educate users about the risks of clicking on untrusted links, especially those related to the Store Hours functionality. 5. Regularly monitor for and apply security updates to all WordPress plugins, themes, and core installations.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8872. See article

Sep 26, 2024 at 8:45 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 26, 2024 at 8:46 AM
CVE Assignment

NVD published the first details for CVE-2024-8872

Sep 26, 2024 at 9:15 AM
CVSS

A CVSS base score of 6.1 has been assigned.

Sep 26, 2024 at 9:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 21.3%)

Sep 27, 2024 at 10:25 AM
Static CVE Timeline Graph

Affected Systems

Bizswoop/store_hours_for_woocommerce
+null more

Patches

plugins.trac.wordpress.org
+null more

Attack Patterns

CAPEC-18: XSS Targeting Non-Script Elements
+null more

News

Update Sun Oct 27 14:34:00 UTC 2024
Update Sun Oct 27 14:34:00 UTC 2024
Update Sat Oct 26 14:31:44 UTC 2024
Update Sat Oct 26 14:31:44 UTC 2024
CVE-2024-8872
Medium Severity Description The Store Hours for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 4.3.20. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Read more at https://www.tenable.com/cve/CVE-2024-8872
Medium - CVE-2024-8872 - The Store Hours for WooCommerce plugin for...
The Store Hours for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to,...
Store Hours for WooCommerce <= 4.3.20 - Reflected Cross-Site Scripting
Bizswoop - MEDIUM - CVE-2024-8872 The Store Hours for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 4.3.20. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI