We are issuing this advisory to alert the WooCommerce community about an XSS vulnerability in WooCommerce versions 8.8.0 and later that we uncovered through our ongoing proactive security testing process. We have already released a patch.
The issue is present on pages that contain the registration and classic checkout and allows for the injection of HTML and JavaScript into the page. We already released a patched version of WooCommerce 8.9, and backported the fix to WooCommerce 8.8. This fix will also be included in WooCommerce 9.0. If you are running WooCommerce 8.8.0 or later, we strongly recommend updating as soon as possible.
Issue Overview
A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting — a type of attack where a bad actor can manipulate a link to include malicious content, for example, JavaScript, on a page. While the content is not saved to the database, the links may be sent to victims for malicious purposes.
The Details
- In WooCommerce 8.5, we released the Order Attribution feature. This optional feature uses the Sourcebuster.js library to read the traffic source data.
- In WooCommerce 8.8, we modified how the client-side part of this feature was implemented. This change used the data collected by Sourcebuster to construct input fields that could be submitted with registration and classic checkout forms. As a result, this created a vulnerability allowing attackers to inject code onto the page.
How Can I Tell If This Affects Me?
To determine if your WooCommerce installation is vulnerable, check the versions of WooCommerce you are running. If your store is running WooCommerce 8.8 or later, and has Order Attribution enabled, your store is vulnerable to this issue. Note that Order Attribution is enabled by default in these versions of WooCommerce.
Actions We Are Taking
We have already taken the following preventative action:
- Patch development: a patch has been developed to address this issue, and has been backported to WooCommerce 8.8 and 8.9.
Next, we’ll undertake a thorough retrospective and identify ways in which this could be avoided.
In an effort to contribute to the overall security of software applications and protect users’ data from potential threats, we have created a CVE for this vulnerability.
What Action Should I Take?
You should immediately take one of the following actions if you are affected by this issue:
- Update to WooCommerce 8.9.3, or the backported version 8.8.5. While the fix is also included in WooCommerce 9.0, we do not recommend waiting for it. You can download them using the links below:
- If you’re unable to update immediately, you should disable store attribution. This vulnerability is only possible to exploit if Order Attribution is enabled. Disabling order attribution is a good temporary fix, but we strongly recommend that you upgrade WooCommerce periodically.
Thanks
Thank you to ecaron for reporting this bug through our HackerOne Bug Bounty program. We appreciate your disclosure.
Leave a Reply