Developer Advisory: XSS Vulnerability in WooCommerce 8.8.0 and later

We are issuing this advisory to alert the WooCommerce community about an XSS vulnerability in WooCommerce versions 8.8.0 and later that we uncovered through our ongoing proactive security testing process.  We have already released a patch.

The issue is present on pages that contain the registration and classic checkout and allows for the injection of HTML and JavaScript into the page. We already released a patched version of WooCommerce 8.9, and backported the fix to WooCommerce 8.8. This fix will also be included in WooCommerce 9.0. If you are running WooCommerce 8.8.0 or later, we strongly recommend updating as soon as possible.

Issue Overview

A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting โ€” a type of attack where a bad actor can manipulate a link to include malicious content, for example, JavaScript, on a page. While the content is not saved to the database, the links may be sent to victims for malicious purposes.

The Details

  • In WooCommerce 8.5, we released the Order Attribution feature. This optional feature uses the Sourcebuster.js library to read the traffic source data.
  • In WooCommerce 8.8, we modified how the client-side part of this feature was implemented. This change used the data collected by Sourcebuster to construct input fields that could be submitted with registration and classic checkout forms. As a result, this created a vulnerability allowing attackers to inject code onto the page. 

How Can I Tell If This Affects Me?

To determine if your WooCommerce installation is vulnerable, check the versions of WooCommerce you are running. If your store is running WooCommerce 8.8 or later, and has Order Attribution enabled, your store is vulnerable to this issue. Note that Order Attribution is enabled by default in these versions of WooCommerce.

Actions We Are Taking

We have already taken the following preventative action:

  • Patch development: a patch has been developed to address this issue, and has been backported to WooCommerce 8.8 and 8.9.

Next, weโ€™ll undertake a thorough retrospective and identify ways in which this could be avoided.

In an effort to contribute to the overall security of software applications and protect users’ data from potential threats, we have created a CVE for this vulnerability.

What Action Should I Take?

You should immediately take one of the following actions if you are affected by this issue:

  • Update to WooCommerce 8.9.3, or the backported version 8.8.5. While the fix is also included in WooCommerce 9.0, we do not recommend waiting for it. You can download them using the links below:
    • WooCommerce 8.9.3 (zip)
    • WooCommerce 8.8.5 (zip)
  • If youโ€™re unable to update immediately, you should disable store attribution. This vulnerability is only possible to exploit if Order Attribution is enabled. Disabling order attribution is a good temporary fix, but we strongly recommend that you upgrade WooCommerce periodically.

Thanks

Thank you to ecaron for reporting this bug through our HackerOne Bug Bounty program. We appreciate your disclosure.


Keep yourself in the loop!

Sign up for the WooCommerce developer newsletter:
Hidden
Hidden
Hidden


One response to “Developer Advisory: XSS Vulnerability in WooCommerce 8.8.0 and later”

  1. Eduard Avatar

    Hi,
    on the morning of June 10, I noticed a very large number of false registrations on our online store and attempts to place orders, around 200 attempts. The site had all the updates, during the day I received a message related to this security update and I immediately made this update as well. We use the Checkout Field Editor for WooCommerce module for checkout. After these attempts, I did not notice any other problems on the website or at the checkout, not even the next day. Could we have been affected, how could we check if the update eliminated problems and if we were affected? Thank you?

Leave a Reply

Your email address will not be published. Required fields are marked *